From: Florian Westphal <fw@strlen.de>
To: Antonio Ojea <aojea@google.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Eric Dumazet <edumazet@google.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] selftests: nft_queue: conntrack expiration requeue
Date: Mon, 20 Oct 2025 22:55:55 +0200 [thread overview]
Message-ID: <aPah2y2pdhIjwHBU@strlen.de> (raw)
In-Reply-To: <20251020200805.298670-1-aojea@google.com>
Antonio Ojea <aojea@google.com> wrote:
> The nfqueue mechanism allows userspace daemons to implement complex,
> dynamic filtering rules. This is particularly useful in distributed
> platforms like Kubernetes, where security policies may be too numerous
> or change too frequently (in the order of seconds) to be implemented
> efficiently in the dataplane.
>
> To avoid the performance penalty of crossing between kernel and
> userspace for every packet, a common optimization is to use stateful
> nftables rules (e.g., ct state established,related accept) to bypass the
> queue for packets belonging to known flows.
>
> However, if there is the need to reevaluate the established connections
> using the existing rules, we should have a way to stop tracking the
> connections so they are sent back to the queue for reevaluation.
>
> Simply flushing the conntrack entries does not work for TCP if tcp_loose
> is enabled, since the conntrack stack will recover the connection
you mean disabled?
loose tracking (midstream pickup) is on by default.
> state. Setting the conntrack entry timeout to 0 allows to remove the state
> and the packet is sent to the queue.
But its the same as --delete, entry gets tossed (its timed out) and is
re-created from scratch.
> This tests validates this scenario, it establish a TCP connection,
> confirms that established packets bypass the queue, and that after
> setting the conntrack entry timeout to 0 subsequent packets are
> requeued.
That zaps the entry and re-creates it, all state is lost.
Wouldn't it make more sense to bypass based on connmark or ctlabels?
I'm not sure what the test is supposed to assert.
That setting timeout via ctnetlink to 0 kicks the entry out of the ct hash?
next prev parent reply other threads:[~2025-10-20 20:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-20 20:08 [PATCH] selftests: nft_queue: conntrack expiration requeue Antonio Ojea
2025-10-20 20:55 ` Florian Westphal [this message]
2025-10-20 21:23 ` Antonio Ojea
2025-10-20 22:08 ` Florian Westphal
2025-10-21 10:40 ` Antonio Ojea
2025-10-21 10:45 ` Florian Westphal
2025-10-21 12:05 ` Antonio Ojea
2025-10-21 12:18 ` Florian Westphal
2025-10-21 21:57 ` Antonio Ojea
2025-10-22 11:26 ` Florian Westphal
2025-10-22 14:15 ` Antonio Ojea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPah2y2pdhIjwHBU@strlen.de \
--to=fw@strlen.de \
--cc=aojea@google.com \
--cc=edumazet@google.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).