Sven Auhagen <sven.auhagen@xxxxxxxxxxxx> wrote: > I think you have a valid point with the not calling flow_offload_teardown but maybe > we need to do something else instead like lower the flowtable entry timeout to trigger a > faster gc for both udp and tcp. conntrack core should receive the fin/rst packet, and should switch the state entry accordingly, i.e. away from established. I suspect that gc_worker() "repairs" the timeout to a hige value again because the OFFLOAD flag is left in place. However, this change: > > if (nf_flow_has_expired(flow) || > > nf_ct_is_dying(flow->ct) || > > + !nf_conntrack_tcp_established(ct) || > > nf_flow_custom_gc(flow_table, flow)) > > flow_offload_teardown(flow); (well, flow->ct, I did not test this at all). should still make flowtable gc remove the entry. I think if possible we should get rid of ct/flowtable entanglements where possible rather than adding more. F.e. early drop should probably not test or care about offload flag anymore.
