On 8/4/2021 4:19 PM, Marcelo Ricardo Leitner wrote:
On Wed, Aug 04, 2021 at 03:02:15PM +0200, Florian Westphal wrote:
These two sysctls were added because the hardcoded defaults (2 minutes,
tcp, 30 seconds, udp) turned out to be too low for some setups.
They appeared in 5.14-rc1 so it should be fine to remove it again.
Marcelo convinced me that there should be no difference between a flow
that was offloaded vs. a flow that was not wrt. timeout handling.
Thus the default is changed to those for TCP established and UDP stream,
5 days and 120 seconds, respectively.
Marcelo also suggested to account for the timeout value used for the
offloading, this avoids increase beyond the value in the conntrack-sysctl
and will also instantly expire the conntrack entry with altered sysctls.
Example:
nf_conntrack_udp_timeout_stream=60
nf_flowtable_udp_timeout=60
This will remove offloaded udp flows after one minute, rather than two.
An earlier version of this patch also cleared the ASSURED bit to
allow nf_conntrack to evict the entry via early_drop (i.e., table full).
However, it looks like we can safely assume that connection timed out
via HW is still in established state, so this isn't needed.
Quoting Oz:
[..] the hardware sends all packets with a set FIN flags to sw.
[..] Connections that are aged in hardware are expected to be in the
established state.
In case it turns out that back-to-sw-path transition can occur for
'dodgy' connections too (e.g., one side disappeared while software-path
would have been in RETRANS timeout), we can adjust this later.
Yup. Maybe an early soft timeout in sw.
Cc: Oz Shlomo <ozsh@xxxxxxxxxx>
Cc: Paul Blakey <paulb@xxxxxxxxxx>
Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
Thanks!
Reviewed-by: Oz Shlomo <ozsh@xxxxxxxxxx>