From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Marcelo Ricardo Leitner <mleitner@redhat.com>,
Long Xin <lxin@redhat.com>,
Claudio Porfiri <claudio.porfiri@ericsson.com>
Subject: Re: [PATCH 3/3] netfilter: conntrack: unify established states for SCTP paths
Date: Tue, 17 Jan 2023 12:54:40 +0100 [thread overview]
Message-ID: <Y8aMgOo0XImPyS54@salvia> (raw)
In-Reply-To: <20230116093556.9437-4-sriram.yagnaraman@est.tech>
On Mon, Jan 16, 2023 at 10:35:56AM +0100, Sriram Yagnaraman wrote:
> An SCTP endpoint can start an association through a path and tear it
> down over another one. That means the initial path will not see the
> shutdown sequence, and the conntrack entry will remain in ESTABLISHED
> state for 5 days.
>
> By merging the HEARTBEAT_ACKED and ESTABLISHED states into one
> ESTABLISHED state, there remains no difference between a primary or
> secondary path. The timeout for the merged ESTABLISHED state is set to
> 210 seconds (hb_interval * max_path_retrans + rto_max). So, even if a
> path doesn't see the shutdown sequence, it will expire in a reasonable
> amount of time.
>
> Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
> ---
> .../uapi/linux/netfilter/nf_conntrack_sctp.h | 4 +-
> .../linux/netfilter/nfnetlink_cttimeout.h | 4 +-
> net/netfilter/nf_conntrack_proto_sctp.c | 90 ++++++++-----------
> net/netfilter/nf_conntrack_standalone.c | 16 ----
> 4 files changed, 42 insertions(+), 72 deletions(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
> index c742469afe21..150fc3c056ea 100644
> --- a/include/uapi/linux/netfilter/nf_conntrack_sctp.h
> +++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
> @@ -15,8 +15,8 @@ enum sctp_conntrack {
> SCTP_CONNTRACK_SHUTDOWN_RECD,
> SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
> SCTP_CONNTRACK_HEARTBEAT_SENT,
> - SCTP_CONNTRACK_HEARTBEAT_ACKED,
> - SCTP_CONNTRACK_DATA_SENT,
> + SCTP_CONNTRACK_HEARTBEAT_ACKED, /* no longer used */
> + SCTP_CONNTRACK_DATA_SENT, /* no longer used */
_DATA_SENT was added in the previous development cycle, to my
knowledged it has been present in 6.1-rc only. Then I think you can
post a patch to revert this explaining why there is no need for
_DATA_SENT anymore. You can revert it before this patch (with my
suggestion, your series will contain with 4 patches).
One question of mine: Did you extract the new established timeout from
RFC, where this formula came from?
210 seconds = hb_interval * max_path_retrans + rto_max
And thanks, if this works for you, I prefer this incremental approach
by improving the existing SCTP tracker.
next prev parent reply other threads:[~2023-01-17 11:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 9:35 [PATCH 0/3] sctp conntrack fixes Sriram Yagnaraman
2023-01-16 9:35 ` [PATCH 1/3] netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE Sriram Yagnaraman
2023-01-17 11:47 ` Pablo Neira Ayuso
2023-01-16 9:35 ` [PATCH 2/3] netfilter: conntrack: fix bug in for_each_sctp_chunk Sriram Yagnaraman
2023-01-17 11:48 ` Pablo Neira Ayuso
2023-01-16 9:35 ` [PATCH 3/3] netfilter: conntrack: unify established states for SCTP paths Sriram Yagnaraman
2023-01-17 11:54 ` Pablo Neira Ayuso [this message]
2023-01-17 12:01 ` Pablo Neira Ayuso
2023-01-17 20:13 ` Sriram Yagnaraman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8aMgOo0XImPyS54@salvia \
--to=pablo@netfilter.org \
--cc=claudio.porfiri@ericsson.com \
--cc=fw@strlen.de \
--cc=lxin@redhat.com \
--cc=mleitner@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=sriram.yagnaraman@est.tech \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.