On 6/10/2021 2:12 AM, Marcelo Ricardo Leitner wrote:
On Mon, Jun 07, 2021 at 02:16:09PM +0200, Pablo Neira Ayuso wrote:
On Thu, Jun 03, 2021 at 03:12:32PM +0300, Oz Shlomo wrote:
TCP and UDP connections may be offloaded from nf conntrack to nf flow table.
Offloaded connections are aged after 30 seconds of inactivity.
Once aged, ownership is returned to conntrack with a hard coded tcp/udp
pickup time of 120/30 seconds, after which the connection may be deleted.
The current hard-coded pickup intervals may introduce a very aggressive
aging policy. For example, offloaded tcp connections in established state
will timeout from nf conntrack after just 150 seconds of inactivity,
instead of 5 days. In addition, the hard-coded 30 second offload timeout
period can significantly increase the hardware insertion rate requirements
in some use cases.
This patchset provides the user with the ability to configure protocol
specific offload timeout and pickup intervals via sysctl.
The first and second patches introduce the sysctl configuration for
tcp and udp protocols. The last patch modifies nf flow table aging
mechanisms to use the configured time intervals.
Series applied, thanks.
Patchset missed a description of the new sysctl entries in
nf_conntrack-sysctl.rst, btw.
I will update the documentation,
Thanks
Marcelo
