Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8;
Date:   Wed, 25 Oct 2023 07:56:34 +0700
From:   Bagas Sanjaya <bagasdotme@gmail.com>
To:     Pablo Neira Ayuso <pablo@netfilter.org>
Cc:     Vladimir Smelhaus <vl.sm@email.cz>,
        Linux Netfilter <netfilter@vger.kernel.org>,
        coreteam@netfilter.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Linux Regressions <regressions@lists.linux.dev>,
        Jozsef Kadlecsik <kadlec@netfilter.org>,
        Florian Westphal <fw@strlen.de>
Subject: Re: Flowtables ignore timeout settings in recent kernels
Message-ID: <ZThnwhWD308vrkUP@debian.me>
References: <ughg4v$130b$1@ciao.gmane.io>
 <ZSyBtn8cplLWoNn-@debian.me>
 <ZTglADWVBgKxKOIC@calendula>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="cM5L7aeMb6NeOAH/"
Content-Disposition: inline
In-Reply-To: <ZTglADWVBgKxKOIC@calendula>
Precedence: bulk


--cM5L7aeMb6NeOAH/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Oct 24, 2023 at 10:11:44PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 16, 2023 at 07:20:06AM +0700, Bagas Sanjaya wrote:
> > On Sun, Oct 15, 2023 at 09:56:14PM +0200, Vladimir Smelhaus wrote:
> > > Netfilter ignores the timeout settings for a flowtable
> > >=20
> > > # sysctl -a -r flowtable
> > > net.netfilter.nf_flowtable_tcp_timeout =3D 30
> > > net.netfilter.nf_flowtable_udp_timeout =3D 30
> > >=20
> > > Situation. A long udp connection (tunnel) with some data flowing thro=
ugh a
> > > router. The connection is sent to a flowtable on the router. It's a f=
ew
> > > packets per second, more here and there, a pause here and there, and =
so on
> > > over and over. The pauses are minimal and are also limited by the tun=
nel
> > > settings to be no longer than 25 seconds. Everything is satisfying to=
 make
> > > the connection last continuously in the flowtable and not reappear in
> > > forward. However, the connection keeps dropping out of the flowtable.=
 It
> > > stays in the flowtable (offloaded) for a second at most and then it is
> > > kicked out, back to forward.
> > >=20
> > > In an attached test script you can see counters that should be zero b=
ut are not. If I watch the normal packet flow on a particular router, I can=
 see packets in the conntrack table that should be OFFLOAD as ASSURED.
> > >=20
> > > Tested in kernel 6.5.6. In an old(er) kernel 5.10 it works as expecte=
d.
> > >=20
> >=20
> > Then please perform bisection to find a culprit that introduces your
> > regression (see Documentation/admin-guide/bug-bisect.rst in the kernel
> > sources for reference). Also, it'd been great if you also post the
> > reproducer script inline (within your email) instead, as some MUAs
> > (like mutt that I'm using now) may ignore the attachment.
> >=20
> > Anyway, thanks for the regression report. I'm adding it to regzbot:
> >=20
> > #regzbot ^introduced: v5.10..v6.5
>=20
> Fix here:
>=20
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231024193815=
=2E1987-1-pablo@netfilter.org/
>=20
> it is a bug from Jun 2023, regression was introduced in the v6.5
> development cycle.
>=20

Telling regzbot:

#regzbot fix: netfilter: nf_flow_table: GC pushes back packets to classic p=
ath

Thanks.

--=20
An old man doll... just what I always wanted! - Clara

--cM5L7aeMb6NeOAH/
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSSYQ6Cy7oyFNCHrUH2uYlJVVFOowUCZThnvgAKCRD2uYlJVVFO
o8J0AQD7MDH2zNbKZM6ZlcvUYRSmRK0rvX6lR+6/MFllgRlZnAEA7GV4EePorg3E
0xZhimBiax8M/oW2TAW86qCo9VyAegY=
=3CKf
-----END PGP SIGNATURE-----

--cM5L7aeMb6NeOAH/--