> -----Original Message-----
> From: Xin Long <lucien.xin@xxxxxxxxx>
> Sent: Sunday, 13 August 2023 18:56
> To: network dev <netdev@xxxxxxxxxxxxxxx>; netfilter-devel@xxxxxxxxxxxxxxx;
> linux-sctp@xxxxxxxxxxxxxxx
> Cc: davem@xxxxxxxxxxxxx; kuba@xxxxxxxxxx; Eric Dumazet
> <edumazet@xxxxxxxxxx>; Paolo Abeni <pabeni@xxxxxxxxxx>; Pablo Neira
> Ayuso <pablo@xxxxxxxxxxxxx>; Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>; Florian
> Westphal <fw@xxxxxxxxx>; Marcelo Ricardo Leitner
> <marcelo.leitner@xxxxxxxxx>
> Subject: [PATCH nf] netfilter: set default timeout to 3 secs for sctp shutdown
> send and recv state
>
> In SCTP protocol, it is using the same timer (T2 timer) for SHUTDOWN and
> SHUTDOWN_ACK retransmission. However in sctp conntrack the default
> timeout value for SCTP_CONNTRACK_SHUTDOWN_ACK_SENT state is 3 secs
> while it's 300 msecs for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV state.
>
> As Paolo Valerio noticed, this might cause unwanted expiration of the ct entry.
> In my test, with 1s tc netem delay set on the NAT path, after the SHUTDOWN is
> sent, the sctp ct entry enters SCTP_CONNTRACK_SHUTDOWN_SEND state.
> However, due to 300ms (too short) delay, when the SHUTDOWN_ACK is sent
> back from the peer, the sctp ct entry has expired and been deleted, and then
> the SHUTDOWN_ACK has to be dropped.
>
> Also, it is confusing these two sysctl options always show 0 due to all timeout
> values using sec as unit:
>
> net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
> net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
>
> This patch fixes it by also using 3 secs for sctp shutdown send and recv state in
> sctp conntrack, which is also RTO.initial value in SCTP protocol.
>
> Note that the very short time value for
> SCTP_CONNTRACK_SHUTDOWN_SEND/RECV was probably used for a rare
> scenario where SHUTDOWN is sent on 1st path but SHUTDOWN_ACK is replied
> on 2nd path, then a new connection started immediately on 1st path. So this
> patch also moves from SHUTDOWN_SEND/RECV to CLOSE when receiving INIT
> in the ORIGINAL direction.
>
> Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
> Reported-by: Paolo Valerio <pvalerio@xxxxxxxxxx>
> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_proto_sctp.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c
> b/net/netfilter/nf_conntrack_proto_sctp.c
> index 91eacc9b0b98..b6bcc8f2f46b 100644
> --- a/net/netfilter/nf_conntrack_proto_sctp.c
> +++ b/net/netfilter/nf_conntrack_proto_sctp.c
> @@ -49,8 +49,8 @@ static const unsigned int
> sctp_timeouts[SCTP_CONNTRACK_MAX] = {
> [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
> [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
> [SCTP_CONNTRACK_ESTABLISHED] = 210 SECS,
> - [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS /
> 1000,
> - [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS /
> 1000,
> + [SCTP_CONNTRACK_SHUTDOWN_SENT] = 3 SECS,
> + [SCTP_CONNTRACK_SHUTDOWN_RECD] = 3 SECS,
> [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
> [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS,
> };
> @@ -105,7 +105,7 @@ static const u8
> sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
> {
> /* ORIGINAL */
> /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */
> -/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW},
> +/* init */ {sCL, sCL, sCW, sCE, sES, sCL, sCL, sSA, sCW},
> /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},
> /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
> /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL},
> --
> 2.39.1
FWIW, I like this patch. Should Documentation/networking/nf_conntrack-sysctl.rst be updated to reflect the new timeout values?
