Re: [PATCH nf-next] netfilter: ctnetlink: always include remaining timeout

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next] netfilter: ctnetlink: always include remaining timeout
Date: Thu, 10 Dec 2020 14:32:00 +0100	[thread overview]
Message-ID: <20201210133200.GE31101@breakpoint.cc> (raw)
In-Reply-To: <20201210131906.GA18962@salvia>

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Dec 10, 2020 at 12:20:22PM +0100, Florian Westphal wrote:
> > DESTROY events do not include the remaining timeout.
> > 
> > Unconditionally including the timeout allows to see if the entry timed
> > timed out or was removed explicitly.
> > 
> > The latter case can happen when a conntrack gets deleted prematurely,
> > e.g. due to a tcp reset, module removal, netdev notifier (nat/masquerade
> > device went down), ctnetlink and so on.
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> >  Might make sense to further extend nf_ct_delete and also pass a
> >  reason code in the future.
> 
> IIRC, TCP state is not included in the event, right?

No, protoinfo is only dumped for non-destroy case.

> This has been requested many times in the past, to debug connectivity
> issues too.
> 
> Probably extending .to_nlattr to take a bool parameter to specify if
> this is the destroy event path, then _only_ include the TCP state
> information there (other TCP information is not relevant and netlink
> bandwidth is limited from the event path).

Sounds reasonable, will send a v2.

     prev parent reply	other threads:[~2020-12-10 13:32 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-10 11:20 [PATCH nf-next] netfilter: ctnetlink: always include remaining timeout Florian Westphal
2020-12-10 13:19 ` Pablo Neira Ayuso
2020-12-10 13:32   ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201210133200.GE31101@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.