From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Sven Auhagen <sven.auhagen@voleatech.de>
Cc: netfilter-devel@vger.kernel.org, cratiu@nvidia.com,
ozsh@nvidia.com, vladbu@nvidia.com, gal@nvidia.com, fw@strlen.de
Subject: Re: [PATCH nf] netfilter: flowtable: infer TCP state and timeout before flow teardown
Date: Wed, 20 Mar 2024 09:45:16 +0100 [thread overview]
Message-ID: <ZfqiHPpUfFwHI5-h@calendula> (raw)
In-Reply-To: <zxdruu67c2xs6zrhagjilitxu5ysik5x7zvk3kthzcclype22c@nevv7c7adz7z>
Hi Sven,
On Wed, Mar 20, 2024 at 09:39:16AM +0100, Sven Auhagen wrote:
> On Mon, Mar 18, 2024 at 10:39:15AM +0100, Pablo Neira Ayuso wrote:
[...]
> > diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
> > index a0571339239c..481fe3d96bbc 100644
> > --- a/net/netfilter/nf_flow_table_core.c
> > +++ b/net/netfilter/nf_flow_table_core.c
> > @@ -165,10 +165,22 @@ void flow_offload_route_init(struct flow_offload *flow,
> > }
> > EXPORT_SYMBOL_GPL(flow_offload_route_init);
> >
> > -static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
> > +static s32 flow_offload_fixup_tcp(struct net *net, struct nf_conn *ct,
> > + enum tcp_conntrack tcp_state)
> > {
> > - tcp->seen[0].td_maxwin = 0;
> > - tcp->seen[1].td_maxwin = 0;
> > + struct nf_tcp_net *tn = nf_tcp_pernet(net);
> > +
> > + ct->proto.tcp.state = tcp_state;
> > + ct->proto.tcp.seen[0].td_maxwin = 0;
> > + ct->proto.tcp.seen[1].td_maxwin = 0;
> > +
> > + /* Similar to mid-connection pickup with loose=1.
> > + * Avoid large ESTABLISHED timeout.
> > + */
> > + if (tcp_state == TCP_CONNTRACK_ESTABLISHED)
> > + return tn->timeouts[TCP_CONNTRACK_UNACK];
>
> Hi Pablo,
>
> I tested the patch but the part that sets the timout to UNACK is not
> very practical.
> For example my long running SSH connections get killed off by the firewall
> regularly now while beeing ESTABLISHED:
>
> [NEW] tcp 6 120 SYN_SENT src=192.168.6.55 dst=192.168.10.22 sport=55582 dport=22 [UNREPLIED] src=192.168.10.22 dst=192.168.6.55 sport=22 dport=55582 mark=16777216
> [UPDATE] tcp 6 60 SYN_RECV src=192.168.6.55 dst=192.168.10.22 sport=55582 dport=22 src=192.168.10.22 dst=192.168.6.55 sport=22 dport=55582 mark=16777216
> [UPDATE] tcp 6 86400 ESTABLISHED src=192.168.6.55 dst=192.168.10.22 sport=55582 dport=22 src=192.168.10.22 dst=192.168.6.55 sport=22 dport=55582 [OFFLOAD] mark=16777216
>
> [DESTROY] tcp 6 ESTABLISHED src=192.168.6.55 dst=192.168.10.22 sport=54941 dport=22 packets=133 bytes=13033 src=192.168.10.22 dst=192.168.6.55 sport=22 dport=54941 packets=95 bytes=15004 [ASSURED] mark=16777216 delta-time=1036
>
> I would remove the if case here.
OK, I remove it and post a v2. Thanks!
> > +
> > + return tn->timeouts[tcp_state];
> > }
> >
> > static void flow_offload_fixup_ct(struct nf_conn *ct)
next prev parent reply other threads:[~2024-03-20 8:45 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-18 9:39 [PATCH nf] netfilter: flowtable: infer TCP state and timeout before flow teardown Pablo Neira Ayuso
2024-03-18 10:05 ` Sven Auhagen
2024-03-20 8:39 ` Sven Auhagen
2024-03-20 8:45 ` Pablo Neira Ayuso [this message]
2024-03-20 8:49 ` Sven Auhagen
2024-03-20 9:07 ` Pablo Neira Ayuso
2024-03-20 9:20 ` Sven Auhagen
2024-03-20 9:27 ` Pablo Neira Ayuso
2024-03-20 9:31 ` Sven Auhagen
2024-03-20 9:51 ` Pablo Neira Ayuso
2024-03-20 10:13 ` Sven Auhagen
2024-03-20 10:36 ` Pablo Neira Ayuso
2024-03-20 10:38 ` Sven Auhagen
2024-03-20 10:29 ` Sven Auhagen
2024-03-20 10:47 ` Pablo Neira Ayuso
2024-03-20 11:15 ` Sven Auhagen
2024-03-20 12:37 ` Pablo Neira Ayuso
2024-03-20 13:37 ` Sven Auhagen
2024-04-08 5:24 ` Sven Auhagen
2024-04-09 11:11 ` Pablo Neira Ayuso
2024-04-09 11:35 ` Sven Auhagen
2024-04-11 9:27 ` Pablo Neira Ayuso
2024-04-11 11:05 ` Florian Westphal
2024-04-11 11:40 ` Pablo Neira Ayuso
2024-04-11 12:13 ` Florian Westphal
2024-04-11 15:50 ` Pablo Neira Ayuso
2024-04-19 7:47 ` Sven Auhagen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZfqiHPpUfFwHI5-h@calendula \
--to=pablo@netfilter.org \
--cc=cratiu@nvidia.com \
--cc=fw@strlen.de \
--cc=gal@nvidia.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=ozsh@nvidia.com \
--cc=sven.auhagen@voleatech.de \
--cc=vladbu@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.