From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Sven Auhagen <sven.auhagen@voleatech.de>,
netfilter-devel@vger.kernel.org, cratiu@nvidia.com,
ozsh@nvidia.com, vladbu@nvidia.com, gal@nvidia.com, fw@strlen.de
Subject: Re: [PATCH nf] netfilter: flowtable: infer TCP state and timeout before flow teardown
Date: Thu, 11 Apr 2024 13:05:04 +0200 [thread overview]
Message-ID: <20240411110504.GE18399@breakpoint.cc> (raw)
In-Reply-To: <ZhetEIvz_vCB-A5D@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> I can also see IP_CT_TCP_FLAG_CLOSE_INIT is not set on when ct->state
> is adjusted to _FIN_WAIT state in the fixup routine.
Unrelated to this patch, but I think that there is an increasing and
disturbing amount of code that attempts to 'fix' the ct state.
I don't think its right and I intend to remove all of these "fixups"
of the conntrack state from flowtable infra.
I see no reason whatsoever why we need to do this, fin can be passed up
to conntrack and conntrack can and should handle this without any extra
mucking with the nf_conn state fields from flowtable infra.
The only cases where I see why we need to take action from
flowtable layer are:
1. timeout extensions of nf_conn from gc worker to prevent eviction
2. removal of the flowtable entry on RST reception. Don't see why that
needs state fixup of nf_conn.
3. removal of the flowtable entry on hard failure of
output routines, e.g. because route is stale.
Don't see why that needs any nf_conn changes either.
My impression is that all these conditionals paper over some other
bugs, for example gc_worker extending timeout is racing with the
datapath, this needs to be fixed first.
I plan to work on this after the selftest fixups.
next prev parent reply other threads:[~2024-04-11 11:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-18 9:39 [PATCH nf] netfilter: flowtable: infer TCP state and timeout before flow teardown Pablo Neira Ayuso
2024-03-18 10:05 ` Sven Auhagen
2024-03-20 8:39 ` Sven Auhagen
2024-03-20 8:45 ` Pablo Neira Ayuso
2024-03-20 8:49 ` Sven Auhagen
2024-03-20 9:07 ` Pablo Neira Ayuso
2024-03-20 9:20 ` Sven Auhagen
2024-03-20 9:27 ` Pablo Neira Ayuso
2024-03-20 9:31 ` Sven Auhagen
2024-03-20 9:51 ` Pablo Neira Ayuso
2024-03-20 10:13 ` Sven Auhagen
2024-03-20 10:36 ` Pablo Neira Ayuso
2024-03-20 10:38 ` Sven Auhagen
2024-03-20 10:29 ` Sven Auhagen
2024-03-20 10:47 ` Pablo Neira Ayuso
2024-03-20 11:15 ` Sven Auhagen
2024-03-20 12:37 ` Pablo Neira Ayuso
2024-03-20 13:37 ` Sven Auhagen
2024-04-08 5:24 ` Sven Auhagen
2024-04-09 11:11 ` Pablo Neira Ayuso
2024-04-09 11:35 ` Sven Auhagen
2024-04-11 9:27 ` Pablo Neira Ayuso
2024-04-11 11:05 ` Florian Westphal [this message]
2024-04-11 11:40 ` Pablo Neira Ayuso
2024-04-11 12:13 ` Florian Westphal
2024-04-11 15:50 ` Pablo Neira Ayuso
2024-04-19 7:47 ` Sven Auhagen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240411110504.GE18399@breakpoint.cc \
--to=fw@strlen.de \
--cc=cratiu@nvidia.com \
--cc=gal@nvidia.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=ozsh@nvidia.com \
--cc=pablo@netfilter.org \
--cc=sven.auhagen@voleatech.de \
--cc=vladbu@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.