From: Florian Westphal <fw@strlen.de>
To: Sven Auhagen <sven.auhagen@voleatech.de>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: Flowtable race condition error
Date: Thu, 14 Mar 2024 12:21:26 +0100 [thread overview]
Message-ID: <20240314112126.GC1038@breakpoint.cc> (raw)
In-Reply-To: <3ku3nssbmgc7jn7mlslvag5rdn2mbqcszkm4mccnzd72uhbb3o@uwkhkhxg3msw>
Sven Auhagen <sven.auhagen@voleatech.de> wrote:
> I think you have a valid point with the not calling flow_offload_teardown but maybe
> we need to do something else instead like lower the flowtable entry timeout to trigger a
> faster gc for both udp and tcp.
conntrack core should receive the fin/rst packet, and should switch the
state entry accordingly, i.e. away from established.
I suspect that gc_worker() "repairs" the timeout to a hige value again
because the OFFLOAD flag is left in place.
However, this change:
> > if (nf_flow_has_expired(flow) ||
> > nf_ct_is_dying(flow->ct) ||
> > + !nf_conntrack_tcp_established(ct) ||
> > nf_flow_custom_gc(flow_table, flow))
> > flow_offload_teardown(flow);
(well, flow->ct, I did not test this at all).
should still make flowtable gc remove the entry.
I think if possible we should get rid of ct/flowtable
entanglements where possible rather than adding more.
F.e. early drop should probably not test or care about
offload flag anymore.
next prev parent reply other threads:[~2024-03-14 11:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-12 16:29 Flowtable race condition error Sven Auhagen
2024-03-13 14:55 ` Florian Westphal
2024-03-13 15:02 ` Florian Westphal
2024-03-13 15:06 ` Sven Auhagen
2024-03-13 15:25 ` Florian Westphal
2024-03-13 15:30 ` Sven Auhagen
2024-03-14 7:48 ` Sven Auhagen
2024-03-14 9:25 ` Florian Westphal
2024-03-14 10:08 ` Sven Auhagen
2024-03-14 11:21 ` Florian Westphal [this message]
2024-03-14 11:17 ` Pablo Neira Ayuso
2024-03-14 11:30 ` Sven Auhagen
2024-03-14 12:38 ` Pablo Neira Ayuso
2024-03-14 12:43 ` Sven Auhagen
2024-03-14 12:56 ` Pablo Neira Ayuso
2024-03-14 13:56 ` Sven Auhagen
2024-03-15 13:46 ` Sven Auhagen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240314112126.GC1038@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sven.auhagen@voleatech.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.