Treat fin packets like tcp packets with IP options or packets that would
need fragmentation: pass them to slow path, but keep the flowtable entry
around.
This allows to keep connections where one peer closes early but keeps
receiving data for a long time in forwarding fast path.
Conntrack should be moving the nf_conn entry towards a much lower
timeout, (default fin_wait 2 minutes).
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
net/netfilter/nf_flow_table_ip.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 98edcaa37b38..94d83003acf0 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -28,11 +28,14 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto,
return 0;
tcph = (void *)(skb_network_header(skb) + thoff);
- if (unlikely(tcph->fin || tcph->rst)) {
+ if (unlikely(tcph->rst)) {
flow_offload_teardown(flow);
return -1;
}
+ if (unlikely(tcph->fin))
+ return -1;
+
return 0;
}
--
2.44.2
