On 13.11.2014 13:08, Pablo Neira Ayuso wrote: >> For me there is little difference in choosing DROP or ACCEPT as verdict. >> > The packet/skb belongs to a formerly allowed connection, most likely >> > this connection is still allowed (but the conntrack hash entry is about >> > to be removed due to userspace is flushing the conntrack table). > __nf_conntrack_confirm() is only called for the first packet that we > see in a flow. If you just invoked the flush command once (which > should be the common case), then this is likely to be the first packet > of the flow (unless you already called flush anytime soon in the > past). Yes, you are right. As far as I remember it was very hard to trigger that critical moment, when the first packet triggered the insertion into the hash table. But the test and production systems showed this strange behaviour, that no traffic was allowed to flow for exactly 600 seconds. > >> > To minimize the impact (lost packets -> retransmit) I decided to allow >> > the skb in flight, so were is no lost packet at this place. > I understand your original motivation was to be conservative. Yes. > >> > When the connection is not allowed anymore (but was allowed up to now, >> > because the hash entry exists), the impact is one last packet 'slipping >> > through'. Feel free to change the verdict, IMHO it doesn't matter at all as long as the hash table is in a consistent state. The higher protocol layers will deal with the missing packet. > The general policy in conntrack is to not drop packets, but in this > case we'll leave things in inconsistent state (ie. we will likely > receive a reply packet in response to the original packet that has no > conntrack yet). Under heavy load this can happen anyway I guess? Thanks and best regards Jörg -- Dipl.-Inform. Jörg Marx Bereichsleiter Entwicklung Client- & Netzwerksicherheit Geschäftsbereich Public Sector secunet Security Networks AG Ammonstr. 74 D-01067 Dresden, Germany Telefon +49 201 54 54-3517 Telefax +49 201 54 54-1323 joerg.marx@xxxxxxxxxxx www.secunet.com secunet Security Networks AG Kronprinzenstr. 30 45128 Essen, Germany Amtsgericht Essen HRB 13615 Vorstand: Dr. Rainer Baumgart (Vors.), Thomas Pleines Aufsichtsratsvorsitzender: Dr. Peter Zattler -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
