This is the *list* timeout, which is indeed set to be half the session timeout, as you notice.
The logic in acl_fa_check_idle_sessions dequeues the sessions from the list every list timeout (which as you note is half the session timeout) - regardless of whether the session is active or not, and then checks whether the idle time on the session has passed - and if it didn’t, then it enqueues it back. The intent is to actually delete the idle sessions within half of the idle timeout, once the session has expired, not immediately - such that we can do the timeout checking at leisure. Hope this helps. --a > On 11 Oct 2022, at 11:45, Chul-Woong Yang <cwy...@gmail.com> wrote: > > Hi, all. > > When I try the ACL plugin, I find that transient timeout of the TCP > connection gets halved. > For example, the session entry for a finished TCP session gets cleaned > after 60 seconds, even if the TCP idle timeout is set to default 120 seconds. > > This is the relevant code. > https://github.com/FDio/vpp/blob/06923b33a9507ee6a92facb770650fff93d89dff/src/plugins/acl/sess_mgmt_node.c#L133 > > I think the author's original intention is `check them twice per user > timeout`, but the current behavior is `halve the user timeout`. > > Any comments will be appreciated deeply. > > Best regards, > Chul-Woong > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21998): https://lists.fd.io/g/vpp-dev/message/21998 Mute This Topic: https://lists.fd.io/mt/94254992/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
