From: Michal Kubecek <mkubecek@suse.cz>
To: Florian Westphal <fw@strlen.de>
Cc: Kristian Evensen <kristian.evensen@gmail.com>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>
Subject: Re: Silently dropped UDP packets on kernel 4.14
Date: Thu, 3 May 2018 11:42:41 +0200 [thread overview]
Message-ID: <20180503094241.mfos3scewpct3dnu@unicorn.suse.cz> (raw)
In-Reply-To: <20180503050345.iyasach2ogf25dt3@breakpoint.cc>
On Thu, May 03, 2018 at 07:03:45AM +0200, Florian Westphal wrote:
> Kristian Evensen <kristian.evensen@gmail.com> wrote:
> > I went for the early-insert approached and have patched
>
> I'm sorry for suggesting that.
>
> It doesn't work, because of NAT.
> NAT rewrites packet content and changes the reply tuple, but the tuples
> determine the hash insertion location.
>
> I don't know how to solve this problem.
It's an old problem which surfaces from time to time when some special
conditions make it more visible. When I was facing it in 2015, I found
this thread from as early as 2009:
https://www.spinics.net/lists/linux-net/msg16712.html
In our case, the customer was using IPVS in "one packet scheduling" mode
(it drops the conntrack entry after each packet) which increased the
probability of insert collisions significantly. Using NFQUEUE
We were lucky, though, as it turned out the only reason why customer
needed connection tracking was to make sure fragments of long UDP
datagrams are not sent to different real servers. For newer kernels
after commit 6aafeef03b9d ("netfilter: push reasm skb through instead of
original frag skbs"), this was no longer necessary so that they could
disable connection tracking for these packets.
For older kernels without this change, I tried several ideas, each of
which didn't work for some reason. We ended up with rather hacky
workaround, not dropping the packet on collision (so that its conntrack
wasn't inserted into the table and was dropped once the packet was
sent). It worked fine for our customer but like the early insert
approach, it wouldn't work with NAT.
One of the ideas I had was this:
- keep also unconfirmed conntracks in some data structure
- check new packets also against unconfirmed conntracks
- if it matches an unconfirmed conntrack, defer its processing
until that conntrack is either inserted or discarded
But as it would be rather complicated to implement without races and
harming performance, I didn't want to actually try it until I would
run out of other ideas. With NAT coming to the play, there doesn't seem
to be many other options.
Michal Kubecek
next prev parent reply other threads:[~2018-05-03 9:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-01 18:50 Silently dropped UDP packets on kernel 4.14 Kristian Evensen
2018-05-01 18:58 ` Kristian Evensen
2018-05-01 22:24 ` Florian Westphal
2018-05-01 22:42 ` Kristian Evensen
2018-05-02 23:54 ` Kristian Evensen
2018-05-03 5:03 ` Florian Westphal
2018-05-03 9:06 ` Kristian Evensen
2018-05-03 9:42 ` Michal Kubecek [this message]
2018-05-03 11:19 ` Kristian Evensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180503094241.mfos3scewpct3dnu@unicorn.suse.cz \
--to=mkubecek@suse.cz \
--cc=fw@strlen.de \
--cc=kristian.evensen@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox