From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries
Date: Tue, 14 Jan 2020 00:53:09 +0100 [thread overview]
Message-ID: <20200113235309.GM795@breakpoint.cc> (raw)
In-Reply-To: <20200108134500.31727-1-fw@strlen.de>
Florian Westphal <fw@strlen.de> wrote:
> This entire series isn't nice but so far I did not find a better
> solution.
I did consider getting rid of the unconfirmed list, but this is also
problematic.
At allocation time we do not know what kind of NAT transformations
will be applied by the ruleset, i.e. we'd need another locking step to
move the entries to the right location in the hash table.
Same if the skb is dropped: we need to lock the conntrack table again to
delete the newly added entry -- this isn't needed right now because the
conntrack is only on the percpu unconfirmed list in this case.
This is also a problem because of conntrack events, we would have to
seperate insertion and notification, else we'd flood userspace for every
conntrack we create in case of a packet drop flood.
Other solutions are:
1. use a ruleset that assigns the same nat mapping for both A and AAAA
requests, or,
2. steer all packets that might have this problem (i.e. udp dport 53) to
the same cpu core.
Yet another solution would be a variation of this patch set:
1. Only add the reply direction to the table (i.e. conntrack -L won't show
the duplicated entry).
2. Add a new conntrack flag for the duplicate that guarantees the
conntrack is removed immediately when first reply packet comes in.
This would also have the effect that the conntrack can never be
assured, i.e. the "hidden duplicates" are always early-dropable if
conntrack table gets full.
3. change event code to never report such duplicates to userspace.
next prev parent reply other threads:[~2020-01-13 23:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 13:44 [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 1/4] netfilter: conntrack: remove two args from resolve_clash Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 2/4] netfilter: conntrack: place confirm-bit setting in a helper Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 3/4] netfilter: conntrack: split resolve_clash function Florian Westphal
2020-01-08 13:45 ` [RFC nf-next 4/4] netfilter: conntrack: allow insertion of duplicate/clashing entries Florian Westphal
2020-01-13 14:04 ` [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-01-13 23:53 ` Florian Westphal [this message]
2020-01-14 21:14 ` Kadlecsik József
2020-01-14 22:21 ` Florian Westphal
2020-01-15 7:58 ` Kadlecsik József
2020-01-16 11:19 ` Pablo Neira Ayuso
2020-01-16 11:37 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200113235309.GM795@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).