From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: Eugene Crosser <crosser@average.org>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
Lahav Schlesinger <lschlesinger@drivenets.com>,
David Ahern <dsahern@kernel.org>
Subject: Re: Commit 09e856d54bda5f288ef8437a90ab2b9b3eab83d1r "vrf: Reset skb conntrack connection on VRF rcv" breaks expected netfilter behaviour
Date: Fri, 15 Oct 2021 23:04:48 +0200 [thread overview]
Message-ID: <20211015210448.GA5069@breakpoint.cc> (raw)
In-Reply-To: <20211013092235.GA32450@breakpoint.cc>
Florian Westphal <fw@strlen.de> wrote:
> Eugene Crosser <crosser@average.org> wrote:
> > Maybe a better solution for stray conntrack entries would be to
> > introduce finer control in netfilter? One possible idea would be to
> > implement both "track" and "notrack" targets; then a working
> > configuration would look like this:
>
> 'track' is hard to implement correctly because of RELATED traffic.
>
> E.g. 'tcp dport 22 track' won't work correctly because icmp pmtu
> won't be handled.
>
> I'd suggest to try a conditional nf_ct_reset that keeps the conntrack
> entry if its in another zone.
>
> I can't think of another solution at the moment, the existing behaviour
> of resetting conntrack entry for postrouting/output is too old,
> otherwise the better solution IMO would be to keep that entry around on
> egress if a NAT rewrite has been done. This would avoid the 'double snat'
> problem that the 'reset on ingress' tries to solve.
I'm working on this.
Eugene, I think it makes sense if you send a formal revert, a proper
fix for snat+vrf needs more work.
I think this is fixable but it will likely be not acceptable for net
tree.
next prev parent reply other threads:[~2021-10-15 21:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-12 13:28 Commit 09e856d54bda5f288ef8437a90ab2b9b3eab83d1r "vrf: Reset skb conntrack connection on VRF rcv" breaks expected netfilter behaviour Eugene Crosser
2021-10-13 9:22 ` Florian Westphal
2021-10-15 21:04 ` Florian Westphal [this message]
2021-10-16 18:51 ` David Ahern
2021-10-18 14:34 ` Florian Westphal
2021-10-18 18:14 ` David Ahern
2021-10-19 11:49 ` Florian Westphal
2021-10-19 13:21 ` Eugene Crosser
2021-10-19 14:34 ` David Ahern
2021-10-19 14:46 ` Florian Westphal
2021-10-19 21:41 ` Jakub Kicinski
2021-10-13 12:28 ` Lahav Schlesinger
2021-10-13 12:58 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211015210448.GA5069@breakpoint.cc \
--to=fw@strlen.de \
--cc=crosser@average.org \
--cc=dsahern@kernel.org \
--cc=lschlesinger@drivenets.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.