On Wed, Aug 04, 2021 at 03:02:15PM +0200, Florian Westphal wrote: > These two sysctls were added because the hardcoded defaults (2 minutes, > tcp, 30 seconds, udp) turned out to be too low for some setups. > > They appeared in 5.14-rc1 so it should be fine to remove it again. > > Marcelo convinced me that there should be no difference between a flow > that was offloaded vs. a flow that was not wrt. timeout handling. > Thus the default is changed to those for TCP established and UDP stream, > 5 days and 120 seconds, respectively. > > Marcelo also suggested to account for the timeout value used for the > offloading, this avoids increase beyond the value in the conntrack-sysctl > and will also instantly expire the conntrack entry with altered sysctls. > > Example: > nf_conntrack_udp_timeout_stream=60 > nf_flowtable_udp_timeout=60 > > This will remove offloaded udp flows after one minute, rather than two. > > An earlier version of this patch also cleared the ASSURED bit to > allow nf_conntrack to evict the entry via early_drop (i.e., table full). > However, it looks like we can safely assume that connection timed out > via HW is still in established state, so this isn't needed. > > Quoting Oz: > [..] the hardware sends all packets with a set FIN flags to sw. > [..] Connections that are aged in hardware are expected to be in the > established state. > > In case it turns out that back-to-sw-path transition can occur for > 'dodgy' connections too (e.g., one side disappeared while software-path > would have been in RETRANS timeout), we can adjust this later. Applied, thanks.