Hi Florian,
On 8/4/2021 2:19 PM, Florian Westphal wrote:
Oz Shlomo <ozsh@xxxxxxxxxx> wrote:
When flow transitions back from offload to software, also clear the
ASSURED bit -- this allows conntrack to early-expire the entry in case
the table is full.
Doesn't this introduce a discrpency between offloaded and non-offload connections?
IIUC, offloaded connections might timeout earlier after they are picked up
by the software when the conntrack table is full.
Yes, if no packet was seen after the flow got moved back to software and
a new connection request is made while table is full.
Then perhaps it is better not to clear the ASSURED bit.
What do you think?
However, if the same tcp connection was not offloaded it would timeout after 5 days.
Yes. The problem is that AFAIU HW may move flow back to SW path after
it saw e.g. FIN bit, or after one side went silent (i.e., unacked data).
And and in that case, SW path has a lot smaller timeout than the 5day
established value.
AFAICS there is no way to detect this on generic side and it might even
be different depending on hw/driver?
Actually, the hardware sends all packets with a set FIN flags to sw.
When act_ct processes a FIN packet it sets the teardown flag for the offloaded connection and
continues to process the packet through nf conntrack.
Therefore, the connection timeout interval will be updated by nf conntrack.
Connections that are aged in hardware are expected to be in the established state.
Therefore, the pickup time should align with the nf conntrack settings.
