From: Vlad Buslov <vladbu@nvidia.com>
To: Florian Westphal <fw@strlen.de>
Cc: <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nf-next] netfilter: conntrack: remove flowtable early-drop test
Date: Tue, 23 Apr 2024 15:16:31 +0300 [thread overview]
Message-ID: <87sezc2rro.fsf@nvidia.com> (raw)
In-Reply-To: <20240423134434.8652-1-fw@strlen.de>
On Tue 23 Apr 2024 at 15:44, Florian Westphal <fw@strlen.de> wrote:
> Not sure why this special case exists. Early drop logic
> (which kicks in when conntrack table is full) should be independent
> of flowtable offload and only consider assured bit (i.e., two-way
> traffic was seen).
>
> flowtable entries hold a reference to the conntrack entry (struct
> nf_conn) that has been offloaded. The conntrack use count is not
> decremented until after the entry is free'd.
>
> This change therefore will not result in exceeding the conntrack table
> limit. It does allow early-drop of tcp flows even when they've been
> offloaded, but only if they have been offloaded before syn-ack was
> received or after at least one peer has sent a fin.
>
> Currently 'fin' packet reception already stops offloading, so this
> should not impact offloading either.
>
> Cc: Vlad Buslov <vladbu@nvidia.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> Vlad, do you remember why you added this test?
I added it when I introduced UDP NEW connection offload. As far as I
remember the concern was that since at the time early drop algorithm
completely ignored all offloaded connections malicious user could fill
the whole table by just sending a single packet per range of distinct 5
tuples and none of the resulting connections would be early dropped
until they expire.
>
> For reference, this came in
> df25455e5a48 ("netfilter: nf_conntrack: allow early drop of offloaded UDP conns")
> and maybe was just a 'move-it-around' from the check in
> early_drop_list, which would mean this was there from the
> beginning. Doesn't change "i don't understand why this test
> exists" though :-)
>
> net/netfilter/nf_conntrack_core.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index c63868666bd9..43629e79067d 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -1440,8 +1440,6 @@ static bool gc_worker_can_early_drop(const struct nf_conn *ct)
> const struct nf_conntrack_l4proto *l4proto;
> u8 protonum = nf_ct_protonum(ct);
>
> - if (test_bit(IPS_OFFLOAD_BIT, &ct->status) && protonum != IPPROTO_UDP)
> - return false;
> if (!test_bit(IPS_ASSURED_BIT, &ct->status))
> return true;
next prev parent reply other threads:[~2024-04-23 12:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-23 13:44 [PATCH nf-next] netfilter: conntrack: remove flowtable early-drop test Florian Westphal
2024-04-23 12:16 ` Vlad Buslov [this message]
2024-04-23 13:05 ` Florian Westphal
2024-04-23 14:40 ` Vlad Buslov
2024-04-24 10:48 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sezc2rro.fsf@nvidia.com \
--to=vladbu@nvidia.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.