Felix Fietkau <nbd@xxxxxxxx> wrote: > On 2018-07-20 15:08, Pablo Neira Ayuso wrote: > > From: Florian Westphal <fw@xxxxxxxxx> > > > > This is one of the very few external callers of ->get_timeouts(), > > > > We can use a fixed timeout instead, conntrack core will refresh this in > > case a new packet comes within this period. > > > > Use of ESTABLISHED timeout seems way too huge anyway. > It seems to me that this could easily break long-lived connections that > are idle most of the time. Problem is that we don't know state of connection, since it was offloaded. We don't know if connection 'died' with unacked data (short default timeout) or not (long default timeout). So I would prefer to err on the 'evict idle connection that had no keepalives early' side rather than the 'add dead connection hanging around forever'. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
