From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Maciej Żenczykowski" <zenczykowski@gmail.com>
Cc: Florian Westphal <fw@strlen.de>,
Linux Network Development Mailing List <netdev@vger.kernel.org>,
Netfilter Development Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH netfilter] netfilter: conntrack: udp: generate event on switch to stream timeout
Date: Mon, 18 Oct 2021 00:04:19 +0200 [thread overview]
Message-ID: <YWyd44P+ey9VXvRn@salvia> (raw)
In-Reply-To: <CAHo-OoxsN5d+ipbp0TQ=a+o=ynd3-w5RZ3S3F8Vg89ipT5=UHw@mail.gmail.com>
On Fri, Oct 15, 2021 at 03:15:07AM -0700, Maciej Żenczykowski wrote:
> On Fri, Oct 15, 2021 at 2:57 AM Florian Westphal <fw@strlen.de> wrote:
> > Maciej Żenczykowski <zenczykowski@gmail.com> wrote:
[...]
> A udp flow becoming bidirectional seems like an important event to
> notify about...
> Afterall, the UDP flow might become a stream 29 seconds after it
> becomes bidirectional...
> That seems like a pretty long time (and it's user configurable to be
> even longer) to delay the notification.
>
> I imagine the pair of you know best whether 2 events or delay assured
> event until stream timeout is applied makes more sense...
This 2 events looks awkward to me, currently the model we have to
report events is:
- status bits are updated
- flow has changed protocol state (TCP).
but in this case, this is reporting a timer update. Timeout updates
are not reported on events, since this would trigger too many events
one per packet.
What's the concern with delaying the IPS_ASSURED bit?
By setting a lower timeout (30 second) my understanding is that this
flow is less important to those that are in the stream state (120s),
so these should also be candidate to be removed by early_drop. IIRC,
the idea behind the stream concept is to reduce lifetime of shortlived
UDP flows to release slots from the conntrack table earlier.
prev parent reply other threads:[~2021-10-17 22:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-15 9:09 [PATCH netfilter] netfilter: conntrack: udp: generate event on switch to stream timeout Maciej Żenczykowski
2021-10-15 9:30 ` Pablo Neira Ayuso
2021-10-15 9:50 ` Maciej Żenczykowski
2021-10-15 9:57 ` Florian Westphal
2021-10-15 10:15 ` Maciej Żenczykowski
2021-10-15 10:50 ` Florian Westphal
2021-10-17 22:04 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YWyd44P+ey9VXvRn@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=zenczykowski@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox