From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1680EC433EF for ; Fri, 15 Oct 2021 09:57:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F2E2A61212 for ; Fri, 15 Oct 2021 09:57:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234814AbhJOJ71 (ORCPT ); Fri, 15 Oct 2021 05:59:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233716AbhJOJ7Z (ORCPT ); Fri, 15 Oct 2021 05:59:25 -0400 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 720AAC061570; Fri, 15 Oct 2021 02:57:19 -0700 (PDT) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1mbJxk-0008PF-Ra; Fri, 15 Oct 2021 11:57:16 +0200 Date: Fri, 15 Oct 2021 11:57:16 +0200 From: Florian Westphal To: Maciej =?utf-8?Q?=C5=BBenczykowski?= Cc: Pablo Neira Ayuso , Florian Westphal , Linux Network Development Mailing List , Netfilter Development Mailing List Subject: Re: [PATCH netfilter] netfilter: conntrack: udp: generate event on switch to stream timeout Message-ID: <20211015095716.GH2942@breakpoint.cc> References: <20211015090934.2870662-1-zenczykowski@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Maciej Żenczykowski wrote: > > Hm, I still don't understand why do you need this extra 3rd > > update/assured event event. Could you explain your usecase? > > Currently we populate a flow offload array on the assured event, and > thus the flow in both directions starts bypassing the kernel. > Hence conntrack timeout is no longer automatically refreshed - and > there is no opportunity for the timeout to get bumped to the stream > timeout of 120s - it stays at 30s. > We periodically (every just over 60-ish seconds) check whether packets > on a flow have been offloaded, and if so refresh the conntrack > timeout. This isn't cheap and we don't want to do it even more often. > However this 60s cycle > 30s non-stream udp timeout, so the kernel > conntrack entry expires (and we must thus clear out the flow from the > offload). This results in a broken udp stream - but only on newer > kernels. Older kernels don't have this '2s' wait feature (which makes > a lot of sense btw.) but as a result of this the conntrack assured > event happens at the right time - when the timeout hits 120s (or 180s > on even older kernels). > > By generating another assured event when the udp stream is 'confirmed' > and the timeout is boosted from 30s to 120s we have an opportunity to > ignore the first one (with timeout 30) and only populate the offload > on the second one (with timeout 120). > > I'm not sure if I'm doing a good job of describing this. Ask again if > it's not clear and I'll try again. Thanks for explaining, no objections to this from my side. Do you think it makes sense to just delay setting the ASSURED bit until after the 2s period?