Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register
From: Florian Westphal
Date: Fri Oct 09 2020 - 14:56:02 EST
Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> wrote:
> > The repro clears all rules, waits 4 seconds, then restores the ruleset.
> > using iptables-restore < FOO; sleep 4; iptables-restore < FOO will not
> > result in any unregister ops.
> >
> > We could make kernel defer unregister via some work queue but i don't
> > see what this would help/accomplish (and its questionable of how long it
> > should wait).
>
> Sorry, I can't put together the two paragraphs above: in the first you
> wrote that no (hook) unregister-register happens and in the second one
> that those could be derefed.
Sorry, my reply is confusing indeed.
Matches/targets that need conntrack increment a refcount.
So, when all rules are flushed, refcount goes down to 0 and conntrack is
disabled because the hooks get removed..
Just doing iptables-restore doesn't unregister as long as both the old
and new rulesets need conntrack.
The "delay unregister" remark was wrt. the "all rules were deleted"
case, i.e. add a "grace period" rather than acting right away when
conntrack use count did hit 0.
> > We could disallow unregister, but that seems silly (forces reboot...).
> >
> > I think the patch is fine.
>
> The patch is fine, but why the packets are handled by conntrack (after the
> first restore and during the 4s sleep? And then again after the second
> restore?) as if all conntrack entries were removed?
Conntrack entries are not removed, only the base hooks get unregistered.
This is a problem for tcp window tracking.
When re-register occurs, kernel is supposed to switch the existing
entries to "loose" mode so window tracking won't flag packets as
invalid, but apparently this isn't enough to handle keepalive case.