Re: Re: [PATCH nf-next] netfilter: nf_flow_table: delay teardown the offload flow until fin packet recv from both direction

["wenxu@xxxxxxxxxxxxxxx" <wenxu@xxxxxxxxxxxxxxx>]

>



>



>Hi,



> 



>On Tue, Jul 26, 2022 at 12:45:16AM -0400, wenxu@xxxxxxxxxxxxxxx wrote:



>> From: wenxu <wenxu@xxxxxxxxxxxxxxx>



>> 



>> A fin packet receive not always means the tcp connection teardown.



>> For tcp half close case, only the client shutdown the connection



>> and the server still can sendmsg to the client. The connection



>> can still be offloaded until the server shutdown the connection.



>> 



>> Signed-off-by: wenxu <wenxu@xxxxxxxxxxxxxxx>



>> ---



>>  include/net/netfilter/nf_flow_table.h |  3 ++-



>>  net/netfilter/nf_flow_table_ip.c      | 14 ++++++++++----



>>  2 files changed, 12 insertions(+), 5 deletions(-)



>> 



>> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h



>> index d5326c4..0c4864d 100644



>> --- a/include/net/netfilter/nf_flow_table.h



>> +++ b/include/net/netfilter/nf_flow_table.h



>> @@ -129,7 +129,8 @@ struct flow_offload_tuple {



>>  /* All members above are keys for lookups, see flow_offload_hash(). */



>>  struct { } __hash;



>>  



>> - u8 dir:2, 



>> + u8 dir:1,



>> + fin:1,



>>  xmit_type:3,



>>  encap_num:2,



>>  in_vlan_ingress:2;



>> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c



>> index b350fe9..c191861 100644



>> --- a/net/netfilter/nf_flow_table_ip.c



>> +++ b/net/netfilter/nf_flow_table_ip.c



>> @@ -19,7 +19,8 @@



>>  #include <linux/udp.h>



>>  



>>  static int nf_flow_state_check(struct flow_offload *flow, int proto,



>> -        struct sk_buff *skb, unsigned int thoff)



>> +        struct sk_buff *skb, unsigned int thoff,



>> +        enum flow_offload_tuple_dir dir)



>>  {



>>  struct tcphdr *tcph;



>>  



>> @@ -27,9 +28,14 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto,



>>  return 0;



>>  



>>  tcph = (void *)(skb_network_header(skb) + thoff);



>> - if (unlikely(tcph->fin || tcph->rst)) {



>> + if (unlikely(tcph->rst)) {



>>  flow_offload_teardown(flow);



>>  return -1;



>> + } else if (unlikely(tcph->fin)) {



>> + flow->tuplehash[dir].tuple.fin = 1;



>> + if (flow->tuplehash[!dir].tuple.fin == 1)



>> + flow_offload_teardown(flow);



> 



>> Maybe add a new flag to enum nf_flow_flags instead?



>>



Maybe two flags need for this:  NF_FLOW_FIN_ORIGIN, NF_FLOW_RELPY?