Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp2471886pxu; Fri, 9 Oct 2020 19:24:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwyMqcccsnV9IhcUhp6e/jT8RN+L2ApTGwnWuvR7neNxJKvMmnmIxKDjV2edPJiftG3rHaU X-Received: by 2002:a17:906:660f:: with SMTP id b15mr17890025ejp.333.1602296653091; Fri, 09 Oct 2020 19:24:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602296653; cv=none; d=google.com; s=arc-20160816; b=lfP/nzDEMO6JYM0PlPMfhadLP1Jby/P0MwsUunpV7CWpnJmFP9K1Dltx807L3I+3tC fYI2Uoh+fGq4nil5zthrxy9xodHsB1DVnOy6QMczhXYEhgwT/DsiWlo/NzxRWSRKZYcb /4YR9LgNthSIaeu1Wz/8nZc7JdTDUL4f7xhtj/vcFlN5gHuFIxEG5mZL4PdAgmw7urOO IcPg8aip7hbSApQVXOkvTRO9jQQv+RyfcOycIqVDpzkR920WzjpuiGqZ5ozqG2VzLGL/ hqhTSYf5sQEe4e+rTxcx7bULHzEoZcrLWXb8epnmoaep9oqqGtlDEnhjrFvQkpdZgZBG inHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:message-id :in-reply-to:subject:cc:to:from:date; bh=tr+Wwwiu7FJHsKjECcLGwqzGdFJUwItu7/OmbVL7VyI=; b=Lg0bAnR/RV102Y9FMng3ZURGI/iREon/9LylNsVEX4qYfJdRUVc+cI0hpygdsiSEg9 zGLbCgFMt2X5T2fuwUjJiC7ccDXuDG9An8G0h7u64iqsl5bIh76ajbKCr69nU35wRbs0 xfca4Ik3y3StfcYjT2JUjSDKJIOjV811xFw8cd4P+X9HKJlFioU4ldEi8EWFNPDdzmru 6NTdSJBn0iUlpxBO/tyj4GCMDo0H2SzlRTzfQt6tLr00/rtALXxnmhpqGcdtBqp2n75o ROw3/HD7s1UXrsTbm4txmL2F/Lgt2npl7+4armauD0FSgpm+SQEkZ0OWEQbazWw+A4l0 Peng== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cb5si7184512edb.251.2020.10.09.19.23.49; Fri, 09 Oct 2020 19:24:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388525AbgJITtO (ORCPT + 99 others); Fri, 9 Oct 2020 15:49:14 -0400 Received: from smtp-out.kfki.hu ([148.6.0.46]:55637 "EHLO smtp-out.kfki.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726357AbgJITtN (ORCPT ); Fri, 9 Oct 2020 15:49:13 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp1.kfki.hu (Postfix) with ESMTP id 71FFD3C80102; Fri, 9 Oct 2020 21:49:11 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at smtp1.kfki.hu Received: from smtp1.kfki.hu ([127.0.0.1]) by localhost (smtp1.kfki.hu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Fri, 9 Oct 2020 21:49:04 +0200 (CEST) Received: from blackhole.kfki.hu (blackhole.kfki.hu [148.6.240.2]) by smtp1.kfki.hu (Postfix) with ESMTP id 481B13C80101; Fri, 9 Oct 2020 21:49:04 +0200 (CEST) Received: by blackhole.kfki.hu (Postfix, from userid 1000) id 09601340D60; Fri, 9 Oct 2020 21:49:04 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by blackhole.kfki.hu (Postfix) with ESMTP id 042DF340D5C; Fri, 9 Oct 2020 21:49:04 +0200 (CEST) Date: Fri, 9 Oct 2020 21:49:03 +0200 (CEST) From: Jozsef Kadlecsik X-X-Sender: kadlec@blackhole.kfki.hu To: Florian Westphal cc: Francesco Ruggeri , open list , netdev , coreteam@netfilter.org, netfilter-devel@vger.kernel.org, Jakub Kicinski , David Miller , Pablo Neira Ayuso Subject: Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register In-Reply-To: <20201009185552.GF5723@breakpoint.cc> Message-ID: References: <20201007193252.7009D95C169C@us180.sjc.aristanetworks.com> <20201009110323.GC5723@breakpoint.cc> <20201009185552.GF5723@breakpoint.cc> User-Agent: Alpine 2.23 (DEB 453 2020-06-18) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 9 Oct 2020, Florian Westphal wrote: > Matches/targets that need conntrack increment a refcount. So, when all > rules are flushed, refcount goes down to 0 and conntrack is disabled > because the hooks get removed.. > > Just doing iptables-restore doesn't unregister as long as both the old > and new rulesets need conntrack. > > The "delay unregister" remark was wrt. the "all rules were deleted" > case, i.e. add a "grace period" rather than acting right away when > conntrack use count did hit 0. Now I understand it, thanks really. The hooks are removed, so conntrack cannot "see" the packets and the entries become stale. What is the rationale behind "remove the conntrack hooks when there are no rule left referring to conntrack"? Performance optimization? But then the content of the whole conntrack table could be deleted too... ;-) > Conntrack entries are not removed, only the base hooks get unregistered. > This is a problem for tcp window tracking. > > When re-register occurs, kernel is supposed to switch the existing > entries to "loose" mode so window tracking won't flag packets as > invalid, but apparently this isn't enough to handle keepalive case. "loose" (nf_ct_tcp_loose) mode doesn't disable window tracking, it enables/disables picking up already established connections. nf_ct_tcp_be_liberal would disable TCP window checking (but not tracking) for non RST packets. But both seems to be modified only via the proc entries. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary