Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp1648334pxu; Thu, 8 Oct 2020 17:53:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy8C8KcZAih76JENiUzbTHgTyavEOMc6CjRrsIKfLB4rKjYxyB0IvHq2AtA32xWPZ/z+wr1 X-Received: by 2002:aa7:d352:: with SMTP id m18mr11740793edr.287.1602204805493; Thu, 08 Oct 2020 17:53:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602204805; cv=none; d=google.com; s=arc-20160816; b=DVZnJj0xzoKh3aAFZvGY2QiWEDLc+uUL7nN36mFvCHnDR8wt5eG49+6E2RR6+ICtHO M5E+UETFVcsYnBtl+q68Ruu/TxVd6byeR1VlD8RChEqhSjUjmd1WqQiZZA/VUUm2UQos MJ6bRpii1+OPeGO7wIxuiIGf6cZwr16Qzq0wxqA5/64JHAdJOS/xl1kJF/t6moIo851J VY8FF/pXwLbp8W0YpqMe5L3rYz7v4UIiku5wLZdcviCgimbdL+VSmKcyZz4lKY/hM5ft r5Zpnt0NRyt7TknQxb9bKO3bG1E/x7Cz44iHvYXP2mv8+N5HW4NLVGwaz0RPr0gKiyoM plWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=nFFaJQBghagcloTs22skGuUImESS4OWZQeRlNi12tDc=; b=xD42oAQk2r7m2Ka/R4V2xGpGecgBU2KC4SjFWx9I5W0Kx/UpZNsKv7JtTm/dDcrszV r5bRexGJ9f8U3jbcSplROdWin3hh2+cWKQHfMYdm2ZFJpyaq7f7i+zBNgT4oX+79i4D+ rgO3ez1Ww2/lsRcMd6tdzLnVjOphfhUbhp48ZEfMQyShZJwBUh3IWS5DmwvMqt0fwcCX WqvVFCvFwp3aoPhUQ0KkwkrQsMTOz2++++sbTPLQijUVtdqFhCxkyXUE76lzi9YskFdL PhUAhydWc+ACPWeqLZk4CZ7Z3JwwLGDHPbluF0KotOEkv/e0jkZ+4PZ7jX4lWL/q9ET8 eL1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=googlenew header.b=gGAheNpT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s13si5076381edj.323.2020.10.08.17.53.01; Thu, 08 Oct 2020 17:53:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=googlenew header.b=gGAheNpT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731117AbgJHXlo (ORCPT + 99 others); Thu, 8 Oct 2020 19:41:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730758AbgJHXln (ORCPT ); Thu, 8 Oct 2020 19:41:43 -0400 Received: from mail-qv1-xf41.google.com (mail-qv1-xf41.google.com [IPv6:2607:f8b0:4864:20::f41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59AD4C0613D5 for ; Thu, 8 Oct 2020 16:41:42 -0700 (PDT) Received: by mail-qv1-xf41.google.com with SMTP id cv1so3965170qvb.2 for ; Thu, 08 Oct 2020 16:41:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=googlenew; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=nFFaJQBghagcloTs22skGuUImESS4OWZQeRlNi12tDc=; b=gGAheNpTYHvxFCbEuDFJwYt57f1qWB+czhjPBLWJvV6Om31+M74Ra5lWCYgSd26zMF NNFoQcxZdCfBzt47SBBhUg30WM9EXwVM+pjF4Eurm5utctlTakokYGUybik9HpjOnZHR 7aPTOvu/bfqD8ydlkTqvdnNrjGrwoBEHp6KzZZxS5WIvI+xSzULB4rsCPPsecTpgUxoz uvsjV+rIQO/k7qr6u86joMmJI5ef9ut5HGID5Fxdda9ACocnlamzr9XuYAcPb4KtQ+PG PQGK0PokEL70pyMc8rzdIxadTUxVVnzSotpn52oVIC0MuuRqE7eH2DXXXIbOFUYJcwNv 3kSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=nFFaJQBghagcloTs22skGuUImESS4OWZQeRlNi12tDc=; b=kCIlqJNJRuILMivUmWzRT1FvoFOP4u3kYo5H5Xjgiyd8AG1/gxoTadRL2QtsSftlMp 8ebCajcFuNPUOA58oWBsVzZxkCb/PJrFzcmFwPW1kjwvDiZNEx6wGnAkYMiAE1NGyu7W lYUs/+gmBHcirqS0C3pgd8kdwM+8HExtUbYLa8EVhUgKhnCnGwK/gn4EE6zW2bXzjdQG pjmid/s9Jlm+lGbbk6UALob30F6sINDRxsgx7CbC7162GDJZKjzZtptUk5weaG9tji3s TlsVMleA0maFw2OqovnUAE1yuga9N6HmAY+Lv+QHXNNij8qr67K+spfkm8Hbv9Cp+VZZ ZLBQ== X-Gm-Message-State: AOAM533wmv5s2E4BWM0ahPRXLCmmGlr2uShHXhDQc7zhyIvCHEORFOQ2 OAOoxs2tRaOm4lpHxcom+Gx8KF7zKBJ8GD7Bxl904guV4qMXAw== X-Received: by 2002:a0c:9c09:: with SMTP id v9mr10614592qve.57.1602200501101; Thu, 08 Oct 2020 16:41:41 -0700 (PDT) MIME-Version: 1.0 References: <20201007193252.7009D95C169C@us180.sjc.aristanetworks.com> In-Reply-To: <20201007193252.7009D95C169C@us180.sjc.aristanetworks.com> From: Francesco Ruggeri Date: Thu, 8 Oct 2020 16:41:30 -0700 Message-ID: Subject: Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register To: open list , netdev , coreteam@netfilter.org, netfilter-devel@vger.kernel.org, Jakub Kicinski , David Miller , fw@strlen.org, kadlec@netfilter.org, Pablo Neira Ayuso , Francesco Ruggeri Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 7, 2020 at 12:32 PM Francesco Ruggeri wrote: > > If the first packet conntrack sees after a re-register is an outgoing > keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to > SND.NXT-1. > When the peer correctly acknowledges SND.NXT, tcp_in_window fails > check III (Upper bound for valid (s)ack: sack <= receiver.td_end) and > returns false, which cascades into nf_conntrack_in setting > skb->_nfct = 0 and in later conntrack iptables rules not matching. > In cases where iptables are dropping packets that do not match > conntrack rules this can result in idle tcp connections to time out. > > v2: adjust td_end when getting the reply rather than when sending out > the keepalive packet. > Any comments? Here is a simple reproducer. The idea is to show that keepalive packets in an idle tcp connection will be dropped (and the connection will time out) if conntrack hooks are de-registered and then re-registered. The reproducer has two files. client_server.py creates both ends of a tcp connection, bounces a few packets back and forth, and then blocks on a recv on the client side. The client's keepalive is configured to time out in 20 seconds. This connection should not time out. test is a bash script that creates a net namespace where it sets iptables rules for the connection, starts client_server.py, and then clears and restores the iptables rules (which causes conntrack hooks to be de-registered and re-registered). ================ file client_server.py #!/usr/bin/python import socket PORT=4446 # create server socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind(('localhost', PORT)) sock.listen(1) # create client socket cl_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) cl_sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) cl_sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, 2) cl_sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPINTVL, 2) cl_sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPCNT, 10) cl_sock.connect(('localhost', PORT)) srv_sock, _ = sock.accept() # Bounce a packet back and forth a few times buf = 'aaaaaaaaaaaa' for i in range(5): cl_sock.send(buf) buf = srv_sock.recv(100) srv_sock.send(buf) buf = cl_sock.recv(100) print buf # idle the connection try: buf = cl_sock.recv(100) except socket.error, e: print "Error: %s" % e sock.close() cl_sock.close() srv_sock.close() ============== file test #!/bin/bash ip netns add dummy ip netns exec dummy ip link set lo up echo "Created namespace" ip netns exec dummy iptables-restore <