On Thu, Jun 24, 2021 at 12:36:40PM +0200, Florian Westphal wrote: > Antonio Ojea reported a problem with a container environment where > connection retries prevent expiry of a SYN_SENT conntrack entry. > > This in turn prevents a NAT rule from becoming active. > > Consider: > client -----> conntrack ---> Host > > client sends a SYN, but $Host is unreachable/silent. > > In the reported case, $host address doesn't exist at all -- > its a 'virtual' ip that is made accessible via dnat/redirect. > > The routing table even passes the packet back via the same interface > it arrived on. > > In the mean time, a NAT rule has been added to the conntrack > namespace, but it has no effect until the existing conntrack > entry times out. > > Unfortunately, in the above scenario, the client retries reconnects > faster than the SYN default timeout (60 seconds), i.e. the entry > never expires and the 'virtual' ip never becomes active. > > First patch adds a test case: > 3 namespaces, one sender, one receiver. > sender connects to non-existent/virtual ip. > Then a dnat rule gets added. > > The test case succeeds once conntrack tool shows that the nat rule > was evaluated. > > Second patch prevents timeout refresh for entries stuck in > SYN_SENT state. > > Without second patch the test case doesn't pass even though syn > timeout is set to 10 seconds. Series applied, thanks.
