Hi, This patch is still not processed further: https://patchwork.ozlabs.org/project/netfilter-devel/list/?submitter=89472 May I ask when this patch is planed to be merged? Thanks, Yadan Fan On 10/10/24 20:19, Yadan Fan wrote: > c46172147ebb brought the logic that never setting ASSURED to drop NAT_CLASH replies > in case server is very busy and early_drop logic kicks in. > > However, this will drop all subsequent UDP packets that sent through multiple threads > of application, we already had a customer reported this issue that impacts their business, > so deleting this logic to avoid this issue at the moment. > > Fixes: c46172147ebb ("netfilter: conntrack: do not auto-delete clash entries on reply") > > Signed-off-by: Yadan Fan <ydfan@xxxxxxxx> > --- > net/netfilter/nf_conntrack_proto_udp.c | 4 ---- > 1 file changed, 4 deletions(-) > > diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c > index 0030fbe8885c..def3e06430eb 100644 > --- a/net/netfilter/nf_conntrack_proto_udp.c > +++ b/net/netfilter/nf_conntrack_proto_udp.c > @@ -116,10 +116,6 @@ int nf_conntrack_udp_packet(struct nf_conn *ct, > > nf_ct_refresh_acct(ct, ctinfo, skb, extra); > > - /* never set ASSURED for IPS_NAT_CLASH, they time out soon */ > - if (unlikely((status & IPS_NAT_CLASH))) > - return NF_ACCEPT; > - > /* Also, more likely to be important, and not a probe */ > if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) > nf_conntrack_event_cache(IPCT_ASSURED, ct); -- Yadan Fan, SUSE L3
