Netfilter ignores the timeout settings for a flowtable # sysctl -a -r flowtable net.netfilter.nf_flowtable_tcp_timeout = 30 net.netfilter.nf_flowtable_udp_timeout = 30Situation. A long udp connection (tunnel) with some data flowing through a router. The connection is sent to a flowtable on the router. It's a few packets per second, more here and there, a pause here and there, and so on over and over. The pauses are minimal and are also limited by the tunnel settings to be no longer than 25 seconds. Everything is satisfying to make the connection last continuously in the flowtable and not reappear in forward. However, the connection keeps dropping out of the flowtable. It stays in the flowtable (offloaded) for a second at most and then it is kicked out, back to forward.
In an attached test script you can see counters that should be zero but are not. If I watch the normal packet flow on a particular router, I can see packets in the conntrack table that should be OFFLOAD as ASSURED. Tested in kernel 6.5.6. In an old(er) kernel 5.10 it works as expected. Regards Vladimir Smelhaus
Attachment:
test_flowtable.sh
Description: application/shellscript
