On Sun, Aug 13, 2023 at 12:55:35PM -0400, Xin Long wrote:
> In SCTP protocol, it is using the same timer (T2 timer) for SHUTDOWN and
> SHUTDOWN_ACK retransmission. However in sctp conntrack the default timeout
> value for SCTP_CONNTRACK_SHUTDOWN_ACK_SENT state is 3 secs while it's 300
> msecs for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV state.
>
> As Paolo Valerio noticed, this might cause unwanted expiration of the ct
> entry. In my test, with 1s tc netem delay set on the NAT path, after the
> SHUTDOWN is sent, the sctp ct entry enters SCTP_CONNTRACK_SHUTDOWN_SEND
> state. However, due to 300ms (too short) delay, when the SHUTDOWN_ACK is
> sent back from the peer, the sctp ct entry has expired and been deleted,
> and then the SHUTDOWN_ACK has to be dropped.
>
> Also, it is confusing these two sysctl options always show 0 due to all
> timeout values using sec as unit:
>
> net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
> net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
>
> This patch fixes it by also using 3 secs for sctp shutdown send and recv
> state in sctp conntrack, which is also RTO.initial value in SCTP protocol.
>
> Note that the very short time value for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV
> was probably used for a rare scenario where SHUTDOWN is sent on 1st path
> but SHUTDOWN_ACK is replied on 2nd path, then a new connection started
> immediately on 1st path. So this patch also moves from SHUTDOWN_SEND/RECV
> to CLOSE when receiving INIT in the ORIGINAL direction.
>
> Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
> Reported-by: Paolo Valerio <pvalerio@xxxxxxxxxx>
> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
