From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Marcelo Ricardo Leitner <mleitner@redhat.com>,
Long Xin <lxin@redhat.com>,
Claudio Porfiri <claudio.porfiri@ericsson.com>
Subject: Re: [PATCH 3/3] netfilter: conntrack: unify established states for SCTP paths
Date: Tue, 17 Jan 2023 13:01:51 +0100 [thread overview]
Message-ID: <Y8aOLydRlSqemdf/@salvia> (raw)
In-Reply-To: <Y8aMgOo0XImPyS54@salvia>
On Tue, Jan 17, 2023 at 12:54:40PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Jan 16, 2023 at 10:35:56AM +0100, Sriram Yagnaraman wrote:
> > An SCTP endpoint can start an association through a path and tear it
> > down over another one. That means the initial path will not see the
> > shutdown sequence, and the conntrack entry will remain in ESTABLISHED
> > state for 5 days.
> >
> > By merging the HEARTBEAT_ACKED and ESTABLISHED states into one
> > ESTABLISHED state, there remains no difference between a primary or
> > secondary path. The timeout for the merged ESTABLISHED state is set to
> > 210 seconds (hb_interval * max_path_retrans + rto_max). So, even if a
> > path doesn't see the shutdown sequence, it will expire in a reasonable
> > amount of time.
> >
> > Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
> > ---
> > .../uapi/linux/netfilter/nf_conntrack_sctp.h | 4 +-
> > .../linux/netfilter/nfnetlink_cttimeout.h | 4 +-
> > net/netfilter/nf_conntrack_proto_sctp.c | 90 ++++++++-----------
> > net/netfilter/nf_conntrack_standalone.c | 16 ----
> > 4 files changed, 42 insertions(+), 72 deletions(-)
> >
> > diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
> > index c742469afe21..150fc3c056ea 100644
> > --- a/include/uapi/linux/netfilter/nf_conntrack_sctp.h
> > +++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
> > @@ -15,8 +15,8 @@ enum sctp_conntrack {
> > SCTP_CONNTRACK_SHUTDOWN_RECD,
> > SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
> > SCTP_CONNTRACK_HEARTBEAT_SENT,
> > - SCTP_CONNTRACK_HEARTBEAT_ACKED,
> > - SCTP_CONNTRACK_DATA_SENT,
> > + SCTP_CONNTRACK_HEARTBEAT_ACKED, /* no longer used */
> > + SCTP_CONNTRACK_DATA_SENT, /* no longer used */
>
> _DATA_SENT was added in the previous development cycle, to my
> knowledged it has been present in 6.1-rc only. Then I think you can
Actually, I mean 6.2-rc releases.
> post a patch to revert this explaining why there is no need for
> _DATA_SENT anymore. You can revert it before this patch (with my
> suggestion, your series will contain with 4 patches).
>
> One question of mine: Did you extract the new established timeout from
> RFC, where this formula came from?
>
> 210 seconds = hb_interval * max_path_retrans + rto_max
>
> And thanks, if this works for you, I prefer this incremental approach
> by improving the existing SCTP tracker.
next prev parent reply other threads:[~2023-01-17 12:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 9:35 [PATCH 0/3] sctp conntrack fixes Sriram Yagnaraman
2023-01-16 9:35 ` [PATCH 1/3] netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE Sriram Yagnaraman
2023-01-17 11:47 ` Pablo Neira Ayuso
2023-01-16 9:35 ` [PATCH 2/3] netfilter: conntrack: fix bug in for_each_sctp_chunk Sriram Yagnaraman
2023-01-17 11:48 ` Pablo Neira Ayuso
2023-01-16 9:35 ` [PATCH 3/3] netfilter: conntrack: unify established states for SCTP paths Sriram Yagnaraman
2023-01-17 11:54 ` Pablo Neira Ayuso
2023-01-17 12:01 ` Pablo Neira Ayuso [this message]
2023-01-17 20:13 ` Sriram Yagnaraman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8aOLydRlSqemdf/@salvia \
--to=pablo@netfilter.org \
--cc=claudio.porfiri@ericsson.com \
--cc=fw@strlen.de \
--cc=lxin@redhat.com \
--cc=mleitner@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=sriram.yagnaraman@est.tech \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.