On Wed, Oct 07, 2020 at 12:32:52PM -0700, Francesco Ruggeri wrote:
> If the first packet conntrack sees after a re-register is an outgoing
> keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
> SND.NXT-1.
> When the peer correctly acknowledges SND.NXT, tcp_in_window fails
> check
Francesco Ruggeri wrote:
> On Wed, Oct 14, 2020 at 1:23 AM Florian Westphal wrote:
> >
> > Pablo Neira Ayuso wrote:
> > > Legacy would still be flawed though.
> >
> > Its fine too, new rule blob gets handled (and match/target checkentry
> > called) before old one is dismantled.
> >
> > We only h
On Wed, Oct 14, 2020 at 1:23 AM Florian Westphal wrote:
>
> Pablo Neira Ayuso wrote:
> > Legacy would still be flawed though.
>
> Its fine too, new rule blob gets handled (and match/target checkentry
> called) before old one is dismantled.
>
> We only have a 0 refcount + hook unregister when rule
Pablo Neira Ayuso wrote:
> > Yes, we iterate table on re-register and modify the existing entries.
>
> For iptables-nft, it might be possible to avoid this deregister +
> register ct hooks in the same transaction: Maybe add something like
> nf_ct_netns_get_all() to bump refcounters by one _iff_ t
On Wed, Oct 14, 2020 at 02:06:28AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> > Jozsef Kadlecsik wrote:
> > > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > > case, i.e. add a "grace period" rather than acting
On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> Jozsef Kadlecsik wrote:
> > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > case, i.e. add a "grace period" rather than acting right away when
> > > conntrack use count did hit 0.
> >
> > Now I underst
Jozsef Kadlecsik wrote:
> > The "delay unregister" remark was wrt. the "all rules were deleted"
> > case, i.e. add a "grace period" rather than acting right away when
> > conntrack use count did hit 0.
>
> Now I understand it, thanks really. The hooks are removed, so conntrack
> cannot "see" the
On Fri, Oct 9, 2020 at 12:49 PM Jozsef Kadlecsik wrote:
> What is the rationale behind "remove the conntrack hooks when there are no
> rule left referring to conntrack"? Performance optimization?
That seems to be the case. See commit 4d3a57f23dec ("netfilter: conntrack:
do not enable connection t
On Fri, 9 Oct 2020, Florian Westphal wrote:
> Matches/targets that need conntrack increment a refcount. So, when all
> rules are flushed, refcount goes down to 0 and conntrack is disabled
> because the hooks get removed..
>
> Just doing iptables-restore doesn't unregister as long as both the ol
Jozsef Kadlecsik wrote:
> > The repro clears all rules, waits 4 seconds, then restores the ruleset.
> > using iptables-restore < FOO; sleep 4; iptables-restore < FOO will not
> > result in any unregister ops.
> >
> > We could make kernel defer unregister via some work queue but i don't
> > see w
Hi Florian,
On Fri, 9 Oct 2020, Florian Westphal wrote:
> Jozsef Kadlecsik wrote:
> > > The reproducer has two files. client_server.py creates both ends of
> > > a tcp connection, bounces a few packets back and forth, and then
> > > blocks on a recv on the client side. The client's keepalive i
Jozsef Kadlecsik wrote:
> > Any comments?
> > Here is a simple reproducer. The idea is to show that keepalive packets
> > in an idle tcp connection will be dropped (and the connection will time
> > out) if conntrack hooks are de-registered and then re-registered. The
> > reproducer has two file
Hi Francesco,
On Thu, 8 Oct 2020, Francesco Ruggeri wrote:
> On Wed, Oct 7, 2020 at 12:32 PM Francesco Ruggeri wrote:
> >
> > If the first packet conntrack sees after a re-register is an outgoing
> > keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
> > SND.NXT-1. When the
On Wed, Oct 7, 2020 at 12:32 PM Francesco Ruggeri wrote:
>
> If the first packet conntrack sees after a re-register is an outgoing
> keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
> SND.NXT-1.
> When the peer correctly acknowledges SND.NXT, tcp_in_window fails
> check III (U
If the first packet conntrack sees after a re-register is an outgoing
keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
SND.NXT-1.
When the peer correctly acknowledges SND.NXT, tcp_in_window fails
check III (Upper bound for valid (s)ack: sack <= receiver.td_end) and
returns fals
15 matches
Mail list logo
