From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH nf 0/4] netfilter: conntrack: allow insertion of clashing entries
Date: Mon, 3 Feb 2020 17:37:03 +0100 [thread overview]
Message-ID: <20200203163707.27254-1-fw@strlen.de> (raw)
This series allows conntrack to insert a duplicate conntrack entry
if the reply direction doesn't result in a clash with a different
original connection.
Background:
kubernetes creates load-balancing rules for DNS using
-m statistics, e.g.:
-p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination x
-p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination y
When the resolver sends an A and AAAA request back-to-back from
different threads on the same socket, this has a high chance of a connection
tracking clash at insertion time.
This in turn results in a drop of the clashing udp packet which then
results in a 5 second DNS timeout.
The clash cannot be resolved with the current logic because the
two conntracks entries have different NAT transformations, the first one
from s:highport to x.53, the second from s:highport to y.53.
One solution is to change rules to use a consistent mapping, e.g.
using -m cluster or nftables 'jhash' expression. This would cause
the A and AAAA requests coming from same socket to match the same rule and
thus share the same NAT information. However, I do not believe this is
a realistic course of action.
This change adds a second clash resolution/drop avoidance step:
A clashing entry will be added anyway provided the reply direction
is unique.
Because this results in duplicate conntrack entries for the original
direction, this comes with strings attached:
1. The clashed entry will only be around for 1 second
2. The clashed entry can only be found in reply direction
(not inserted for ORIGINAL)
3. The clashed entry is auto-removed once first reply comes in
4 The clashed entry is never assured and can thus be evicted if
conntrack table becomes full.
Major change since RFC:
1. Do not insert the duplicate/clash in original dir.
2. This implicitly hides the entry from "conntrack -L".
3. use an internal status bit to auto-remove the conntrack
when first reply comes in.
4. Extend the commit message of last patch to include a
summary of alternate proposals (and why they did not work out).
I'm sending this for nf rather than nf-next because I consider this
a bug fix, but I am fine if this is deferred for nf-next instead.
Florian Westphal (4):
netfilter: conntrack: remove two args from resolve_clash
netfilter: conntrack: place confirm-bit setting in a helper
netfilter: conntrack: split resolve_clash function
netfilter: conntrack: allow insertion of clashing entries
include/linux/rculist_nulls.h | 7 +++++
include/uapi/linux/netfilter/nf_conntrack_common.h | 12 ++++++++-
net/netfilter/nf_conntrack_core.c | 192 ++++++++++++++++------
net/netfilter/nf_conntrack_proto_udp.c | 20 ++++++++++--
4 files changed, 198 insertions(+), 33 deletions(-)
next reply other threads:[~2020-02-03 16:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-03 16:37 Florian Westphal [this message]
2020-02-03 16:37 ` [PATCH nf 1/4] netfilter: conntrack: remove two args from resolve_clash Florian Westphal
2020-02-03 16:37 ` [PATCH nf 2/4] netfilter: conntrack: place confirm-bit setting in a helper Florian Westphal
2020-02-03 16:37 ` [PATCH nf 3/4] netfilter: conntrack: split resolve_clash function Florian Westphal
2020-02-03 16:37 ` [PATCH nf 4/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-02-17 19:25 ` [PATCH nf 0/4] " Pablo Neira Ayuso
2020-02-17 20:12 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200203163707.27254-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).