Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH nf 0/4] netfilter: conntrack: allow insertion of clashing entries
@ 2020-02-03 16:37 Florian Westphal
  2020-02-03 16:37 ` [PATCH nf 1/4] netfilter: conntrack: remove two args from resolve_clash Florian Westphal
                   ` (4 more replies)
  0 siblings, 5 replies; 7+ messages in thread
From: Florian Westphal @ 2020-02-03 16:37 UTC (permalink / raw)
  To: netfilter-devel

This series allows conntrack to insert a duplicate conntrack entry
if the reply direction doesn't result in a clash with a different
original connection.

Background:

kubernetes creates load-balancing rules for DNS using
-m statistics, e.g.:
-p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination x
-p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination y

When the resolver sends an A and AAAA request back-to-back from
different threads on the same socket, this has a high chance of a connection
tracking clash at insertion time.

This in turn results in a drop of the clashing udp packet which then
results in a 5 second DNS timeout.

The clash cannot be resolved with the current logic because the
two conntracks entries have different NAT transformations, the first one
from s:highport to x.53, the second from s:highport to y.53.

One solution is to change rules to use a consistent mapping, e.g.
using -m cluster or nftables 'jhash' expression.  This would cause
the A and AAAA requests coming from same socket to match the same rule and
thus share the same NAT information.  However, I do not believe this is
a realistic course of action.

This change adds a second clash resolution/drop avoidance step:
A clashing entry will be added anyway provided the reply direction
is unique.

Because this results in duplicate conntrack entries for the original
direction, this comes with strings attached:
1. The clashed entry will only be around for 1 second
2. The clashed entry can only be found in reply direction
   (not inserted for ORIGINAL)
3. The clashed entry is auto-removed once first reply comes in
4  The clashed entry is never assured and can thus be evicted if
   conntrack table becomes full.

Major change since RFC:
1. Do not insert the duplicate/clash in original dir.
2. This implicitly hides the entry from "conntrack -L".
3. use an internal status bit to auto-remove the conntrack
   when first reply comes in.
4. Extend the commit message of last patch to include a
   summary of alternate proposals (and why they did not work out).

I'm sending this for nf rather than nf-next because I consider this
a bug fix, but I am fine if this is deferred for nf-next instead.

Florian Westphal (4):
      netfilter: conntrack: remove two args from resolve_clash
      netfilter: conntrack: place confirm-bit setting in a helper
      netfilter: conntrack: split resolve_clash function
      netfilter: conntrack: allow insertion of clashing entries

 include/linux/rculist_nulls.h                      |   7 +++++
 include/uapi/linux/netfilter/nf_conntrack_common.h |  12 ++++++++-
 net/netfilter/nf_conntrack_core.c                  | 192 ++++++++++++++++------
 net/netfilter/nf_conntrack_proto_udp.c             |  20 ++++++++++--
 4 files changed, 198 insertions(+), 33 deletions(-)


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-03 16:37 [PATCH nf 0/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-02-03 16:37 ` [PATCH nf 1/4] netfilter: conntrack: remove two args from resolve_clash Florian Westphal
2020-02-03 16:37 ` [PATCH nf 2/4] netfilter: conntrack: place confirm-bit setting in a helper Florian Westphal
2020-02-03 16:37 ` [PATCH nf 3/4] netfilter: conntrack: split resolve_clash function Florian Westphal
2020-02-03 16:37 ` [PATCH nf 4/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-02-17 19:25 ` [PATCH nf 0/4] " Pablo Neira Ayuso
2020-02-17 20:12   ` Florian Westphal

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git