On Tue, 12 Nov 2024 at 07:41, Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote: > > On Tue, 12 Nov 2024 at 02:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > > On Tue, Nov 12, 2024 at 10:16:45AM +0100, Pablo Neira Ayuso wrote: > > > I guess the concern is that assured flows cannot be expelled from the > > > conntrack table via early_drop, that is why an expedite cleanup is > > > important? > > > > Actually, the issue is that packets could end up in a backend which > > does not exist after re-configuration, therefore, removing the entry > > need to happen so ongoing flow have a chance to talk to another > > (different) backend. > > Please take a look to this kselftest attached that emulates the > problematic behavior in kubernetes, > > I think that in UDP the nat rule should take precedence over the > conntrack entry,on the contrary to TCP where it is important to > preserve the session if it has been established. > > I did only a quick test and seems to fail also with Florian patch please disregard the a/tools/testing/selftests/net/netfilter/conntrack_vrf.sh file in the patch, is a leftover of some local tests