From: "wenxu@chinatelecom.cn" <wenxu@chinatelecom.cn>
To: wenxu <wenxu@chinatelecom.cn>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: Re: [PATCH nf-next] netfilter: nf_flow_table: delay teardown the offload flow until fin packet recv from both direction
Date: Tue, 2 Aug 2022 10:16:12 +0800 [thread overview]
Message-ID: <202208021016120385278@chinatelecom.cn> (raw)
In-Reply-To: 202208020950236233262@chinatelecom.cn
>
>
>Hi,
>
>On Tue, Jul 26, 2022 at 12:45:16AM -0400, wenxu@chinatelecom.cn wrote:
>> From: wenxu <wenxu@chinatelecom.cn>
>>
>> A fin packet receive not always means the tcp connection teardown.
>> For tcp half close case, only the client shutdown the connection
>> and the server still can sendmsg to the client. The connection
>> can still be offloaded until the server shutdown the connection.
>>
>> Signed-off-by: wenxu <wenxu@chinatelecom.cn>
>> ---
>> include/net/netfilter/nf_flow_table.h | 3 ++-
>> net/netfilter/nf_flow_table_ip.c | 14 ++++++++++----
>> 2 files changed, 12 insertions(+), 5 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
>> index d5326c4..0c4864d 100644
>> --- a/include/net/netfilter/nf_flow_table.h
>> +++ b/include/net/netfilter/nf_flow_table.h
>> @@ -129,7 +129,8 @@ struct flow_offload_tuple {
>> /* All members above are keys for lookups, see flow_offload_hash(). */
>> struct { } __hash;
>>
>> - u8 dir:2,
>> + u8 dir:1,
>> + fin:1,
>> xmit_type:3,
>> encap_num:2,
>> in_vlan_ingress:2;
>> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
>> index b350fe9..c191861 100644
>> --- a/net/netfilter/nf_flow_table_ip.c
>> +++ b/net/netfilter/nf_flow_table_ip.c
>> @@ -19,7 +19,8 @@
>> #include <linux/udp.h>
>>
>> static int nf_flow_state_check(struct flow_offload *flow, int proto,
>> - struct sk_buff *skb, unsigned int thoff)
>> + struct sk_buff *skb, unsigned int thoff,
>> + enum flow_offload_tuple_dir dir)
>> {
>> struct tcphdr *tcph;
>>
>> @@ -27,9 +28,14 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto,
>> return 0;
>>
>> tcph = (void *)(skb_network_header(skb) + thoff);
>> - if (unlikely(tcph->fin || tcph->rst)) {
>> + if (unlikely(tcph->rst)) {
>> flow_offload_teardown(flow);
>> return -1;
>> + } else if (unlikely(tcph->fin)) {
>> + flow->tuplehash[dir].tuple.fin = 1;
>> + if (flow->tuplehash[!dir].tuple.fin == 1)
>> + flow_offload_teardown(flow);
>
>> Maybe add a new flag to enum nf_flow_flags instead?
>>
Maybe two flags need for this: NF_FLOW_FIN_ORIGIN, NF_FLOW_RELPY?
prev parent reply other threads:[~2022-08-02 2:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-26 4:45 [PATCH nf-next] netfilter: nf_flow_table: delay teardown the offload flow until fin packet recv from both direction wenxu
2022-08-01 10:21 ` Pablo Neira Ayuso
[not found] ` <202208020950236233262@chinatelecom.cn>
2022-08-02 2:16 ` wenxu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202208021016120385278@chinatelecom.cn \
--to=wenxu@chinatelecom.cn \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).