On Wed, Mar 13, 2024 at 04:02:03PM +0100, Florian Westphal wrote:
> Florian Westphal <fw@xxxxxxxxx> wrote:
> > No idea, but it was intentional, see
> > b6f27d322a0a ("netfilter: nf_flow_table: tear down TCP flows if RST or FIN was seen")
>
> Maybe:
>
> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
> --- a/net/netfilter/nf_flow_table_ip.c
> +++ b/net/netfilter/nf_flow_table_ip.c
> @@ -28,10 +28,8 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto,
> return 0;
>
> tcph = (void *)(skb_network_header(skb) + thoff);
> - if (unlikely(tcph->fin || tcph->rst)) {
> - flow_offload_teardown(flow);
> + if (unlikely(tcph->fin || tcph->rst))
> return -1;
> - }
>
> return 0;
> }
>
> ?
>
> This will let gc step clean the entry from the flowtable.
Thanks for your answer.
I double checked and the problem is that the timeout in flow_offload_fixup_ct is set to a very small value
and the state is deleted immediately afterwards.
I will try out this patch tomorrow:
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index a7a216fc3207..29c6b9eef50d 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -195,8 +195,9 @@ static void flow_offload_fixup_ct(struct nf_conn *ct)
return;
}
- if (timeout < 0)
- timeout = 0;
+ // Have at least some time left on the state
+ if (timeout < NF_FLOW_TIMEOUT)
+ timeout = NF_FLOW_TIMEOUT;
if (nf_flow_timeout_delta(READ_ONCE(ct->timeout)) > (__s32)timeout)
WRITE_ONCE(ct->timeout, nfct_time_stamp + timeout);
--
2.42.0
I was able to mitigate it by setting my TCP_FIN_WAIT timeout to 240 and now the state is not deleted immediately.
I think in general this happens because either the packets come in out of order or there is a double FIN packet.
I am not 100% sure about the cause and it only happens with a small amount of connections when they close.
Best
Sven
