On Wed, Mar 20, 2024 at 11:13:23AM +0100, Sven Auhagen wrote:
> On Wed, Mar 20, 2024 at 10:51:39AM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Mar 20, 2024 at 10:31:00AM +0100, Sven Auhagen wrote:
> > > On Wed, Mar 20, 2024 at 10:27:30AM +0100, Pablo Neira Ayuso wrote:
> > > > On Wed, Mar 20, 2024 at 10:20:29AM +0100, Sven Auhagen wrote:
[...]
> > > I think for it to be foolproof we need
> > > to migrate the TCP state as well in flow_offload_teardown_tcp to FIN or CLOSE.
> >
> > My patch already does it:
> >
> > +void flow_offload_teardown_tcp(struct flow_offload *flow, bool fin)
> > +{
> > + enum tcp_conntrack tcp_state;
> > +
> > + if (fin)
> > + tcp_state = TCP_CONNTRACK_FIN_WAIT;
> > + else /* rst */
> > + tcp_state = TCP_CONNTRACK_CLOSE;
> > +
> > + flow_offload_fixup_tcp(nf_ct_net(flow->ct), flow->ct, tcp_state);
> >
> > flow_offload_fixup_tcp() updates the TCP state to FIN / CLOSE state.
>
> Ah you are correct.
> Never the less I can tell you that I still see this problem with the patch attached:
>
> [UPDATE] tcp 6 120 FIN_WAIT src=192.168.7.105 dst=17.253.57.219 sport=49574 dport=443 src=17.253.57.219 dst=87.138.198.79 sport=443 dport=5078 [OFFLOAD] mark=25165825
> [UPDATE] tcp 6 30 LAST_ACK src=192.168.7.105 dst=17.253.57.219 sport=49574 dport=443 src=17.253.57.219 dst=87.138.198.79 sport=443 dport=5078 [ASSURED] mark=25165825
> [UPDATE] tcp 6 10 CLOSE src=192.168.7.105 dst=17.253.57.219 sport=49574 dport=443 src=17.253.57.219 dst=87.138.198.79 sport=443 dport=5078 [ASSURED] mark=25165825
> [DESTROY] tcp 6 CLOSE src=192.168.7.105 dst=17.253.57.219 sport=49574 dport=443 packets=15 bytes=2688 src=17.253.57.219 dst=87.138.198.79 sport=443 dport=5078 packets=18 bytes=7172 [ASSURED] mark=25165825 delta-time=126
Just to make sure, are you testing with these two patches?
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240320092638.798076-1-pablo@xxxxxxxxxxxxx/
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240320092638.798076-2-pablo@xxxxxxxxxxxxx/
