Re: [PATCH v2 nf] netfilter: conntrack: remove offload_pickup sysctl again

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 8/4/2021 4:19 PM, Marcelo Ricardo Leitner wrote:
On Wed, Aug 04, 2021 at 03:02:15PM +0200, Florian Westphal wrote:
These two sysctls were added because the hardcoded defaults (2 minutes,
tcp, 30 seconds, udp) turned out to be too low for some setups.

They appeared in 5.14-rc1 so it should be fine to remove it again.

Marcelo convinced me that there should be no difference between a flow
that was offloaded vs. a flow that was not wrt. timeout handling.
Thus the default is changed to those for TCP established and UDP stream,
5 days and 120 seconds, respectively.

Marcelo also suggested to account for the timeout value used for the
offloading, this avoids increase beyond the value in the conntrack-sysctl
and will also instantly expire the conntrack entry with altered sysctls.

Example:
    nf_conntrack_udp_timeout_stream=60
    nf_flowtable_udp_timeout=60

This will remove offloaded udp flows after one minute, rather than two.

An earlier version of this patch also cleared the ASSURED bit to
allow nf_conntrack to evict the entry via early_drop (i.e., table full).
However, it looks like we can safely assume that connection timed out
via HW is still in established state, so this isn't needed.

Quoting Oz:
  [..] the hardware sends all packets with a set FIN flags to sw.
  [..] Connections that are aged in hardware are expected to be in the
  established state.

In case it turns out that back-to-sw-path transition can occur for
'dodgy' connections too (e.g., one side disappeared while software-path
would have been in RETRANS timeout), we can adjust this later.

Yup. Maybe an early soft timeout in sw.


Cc: Oz Shlomo <ozsh@xxxxxxxxxx>
Cc: Paul Blakey <paulb@xxxxxxxxxx>
Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>

Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>

Thanks!


Reviewed-by: Oz Shlomo <ozsh@xxxxxxxxxx>



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux