conntrack -D suffers from a TOCTTOU race between querying the existing entries and deleting each entry one-by-one. Because entries could simply disappear because of a timeout this is an unavoidable race that makes -D unreliable. Some users of conntrack have resorted to invoking conntrack in a loop. See, e.g. // Retry a few times because the conntrack command seems to fail at random. from https://github.com/projectcalico/felix/blob/4bd4955/conntrack/conntrack.go#L81 Attached is a preliminary patch to add an --ignore-error option that behaves similar to the -f (force) option of common command-line utilities. It’s currently only obeyed in delete_cb as I’d like to get feedback on the semantics. The basic idea is that --ignore-error is provided a list of error selectors to ignore, where the error selectors can be taken from the err2str. For example --ignore-error=“delete+ENOENT” or just --ignore-error=delete causes delete_cb to continue even if the NFCT_Q_DESTROY operation failed. A simpler alternative might be to ignore destroy failures in delete_cb altogether.
Attachment:
ignore-error-20190212.patch
Description: ignore-error-20190212.patch
