From: Sven Auhagen <sven.auhagen@voleatech.de>
To: Oz Shlomo <ozsh@nvidia.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Felix Fietkau <nbd@nbd.name>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
Florian Westphal <fw@strlen.de>, Paul Blakey <paulb@nvidia.com>
Subject: Re: [PATCH net] netfilter: nf_flow_table: fix teardown flow timeout
Date: Mon, 9 May 2022 10:51:49 +0200 [thread overview]
Message-ID: <20220509085149.ixdy3fbombutdpd7@SvensMacbookPro.hq.voleatech.com> (raw)
In-Reply-To: <20220509072916.18558-1-ozsh@nvidia.com>
Hi Oz,
thank you, this patch fixes the race between ct gc and flowtable teardown.
There is another big problem though in the code currently and I will send a patch
in a minute.
The flowtable teardown code always forces the ct state back to established
and adds the established timeout to it even if it is in CLOSE or FIN WAIT
which ultimately leads to a huge number of dead states in established state.
I will CC you on the patch, where I also stumbled upon your issue.
Best
Sven
On Mon, May 09, 2022 at 10:29:16AM +0300, Oz Shlomo wrote:
> Connections leaving the established state (due to RST / FIN TCP packets)
> set the flow table teardown flag. The packet path continues to set lower
> timeout value as per the new TCP state but the offload flag remains set.
> Hence, the conntrack garbage collector may race to undo the timeout
> adjustment of the packet path, leaving the conntrack entry in place with
> the internal offload timeout (one day).
>
> Return the connection's ownership to conntrack upon teardown by clearing
> the offload flag and fixing the established timeout value. The flow table
> GC thread will asynchonrnously free the flow table and hardware offload
> entries.
>
> Fixes: 1e5b2471bcc4 ("netfilter: nf_flow_table: teardown flow timeout race")
> Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
> Reviewed-by: Paul Blakey <paulb@nvidia.com>
> ---
> net/netfilter/nf_flow_table_core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
> index 3db256da919b..ef080dbd4fd0 100644
> --- a/net/netfilter/nf_flow_table_core.c
> +++ b/net/netfilter/nf_flow_table_core.c
> @@ -375,6 +375,9 @@ void flow_offload_teardown(struct flow_offload *flow)
> set_bit(NF_FLOW_TEARDOWN, &flow->flags);
>
> flow_offload_fixup_ct_state(flow->ct);
> + flow_offload_fixup_ct_timeout(flow->ct);
> +
> + clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status);
> }
> EXPORT_SYMBOL_GPL(flow_offload_teardown);
>
> --
> 1.8.3.1
>
next prev parent reply other threads:[~2022-05-09 9:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-09 7:29 [PATCH net] netfilter: nf_flow_table: fix teardown flow timeout Oz Shlomo
2022-05-09 8:51 ` Sven Auhagen [this message]
2022-05-09 12:18 ` Oz Shlomo
2022-05-09 12:27 ` Sven Auhagen
2022-05-09 13:01 ` Oz Shlomo
2022-05-09 13:14 ` Sven Auhagen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220509085149.ixdy3fbombutdpd7@SvensMacbookPro.hq.voleatech.com \
--to=sven.auhagen@voleatech.de \
--cc=fw@strlen.de \
--cc=nbd@nbd.name \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=ozsh@nvidia.com \
--cc=pablo@netfilter.org \
--cc=paulb@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.