mbox series

[v3,0/17] netfilter: nf_flow_table: refactoring, TCP state tracking, sending flows to slow path

Message ID 20180226091524.47061-1-nbd@nbd.name
Headers show
Series netfilter: nf_flow_table: refactoring, TCP state tracking, sending flows to slow path | expand

Message

Felix Fietkau Feb. 26, 2018, 9:15 a.m. UTC 
Fixes issues with connections hanging after >30 seconds idle time.

Changes since v2:
- Include the previous patch series
- Rebase to current nf.git
- Provide longer description for the teardown state and the changes
  for passing flows back to the slow path

Changes since v1:
- Fix up connection tracking state earlier to improve processing of TCP
  FIN/RST that trigger the bump to the slow path.
- Fix the value of ct->proto.tcp.state, reset the window values to force
  the tcp window check to resync
- Add a checksum fix for DNAT

Felix Fietkau (5):
  netfilter: nf_flow_table: make flow_offload_dead inline
  netfilter: nf_flow_table: add a new flow state for tearing down
    offloading
  netfilter: nf_flow_table: in flow_offload_lookup, skip entries being
    deleted
  netfilter: nf_flow_table: add support for sending flows back to the
    slow path
  netfilter: nf_flow_table: tear down TCP flows if RST or FIN was seen

 include/net/netfilter/nf_flow_table.h | 11 +++++-
 net/netfilter/nf_flow_table_core.c    | 74 +++++++++++++++++++++++++++--------
 net/netfilter/nf_flow_table_ip.c      | 30 ++++++++++++--
 3 files changed, 94 insertions(+), 21 deletions(-)

Comments

Pablo Neira Ayuso March 5, 2018, 10:11 p.m. UTC | #1 
On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote:
> Fixes issues with connections hanging after >30 seconds idle time.
> 
> Changes since v2:
> - Include the previous patch series
> - Rebase to current nf.git
> - Provide longer description for the teardown state and the changes
>   for passing flows back to the slow path
> 
> Changes since v1:
> - Fix up connection tracking state earlier to improve processing of TCP
>   FIN/RST that trigger the bump to the slow path.
> - Fix the value of ct->proto.tcp.state, reset the window values to force
>   the tcp window check to resync

Series applied, thanks Felix.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso March 5, 2018, 10:38 p.m. UTC | #2 
On Mon, Mar 05, 2018 at 11:11:38PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote:
> > Fixes issues with connections hanging after >30 seconds idle time.
> > 
> > Changes since v2:
> > - Include the previous patch series
> > - Rebase to current nf.git
> > - Provide longer description for the teardown state and the changes
> >   for passing flows back to the slow path
> > 
> > Changes since v1:
> > - Fix up connection tracking state earlier to improve processing of TCP
> >   FIN/RST that trigger the bump to the slow path.
> > - Fix the value of ct->proto.tcp.state, reset the window values to force
> >   the tcp window check to resync
> 
> Series applied, thanks Felix.

Felix, I'm taking from 1 to 5. I'll keep the remaining patches sitting
in my patchwork, net-next is still not in sync with net, so I will
wait until the fix for IPv4 DNAT shows up there.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Rafał Miłecki March 13, 2018, 6:16 a.m. UTC | #3 
On Mon, 5 Mar 2018 23:11:38 +0100, Pablo Neira Ayuso wrote:
 > On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote:
 > > Fixes issues with connections hanging after >30 seconds idle time.
 > >
 > > Changes since v2:
 > > - Include the previous patch series
 > > - Rebase to current nf.git
 > > - Provide longer description for the teardown state and the changes
 > >   for passing flows back to the slow path
 > >
 > > Changes since v1:
 > > - Fix up connection tracking state earlier to improve processing of TCP
 > >   FIN/RST that trigger the bump to the slow path.
 > > - Fix the value of ct->proto.tcp.state, reset the window values to force
 > >   the tcp window check to resync
 >
 > Series applied, thanks Felix.

Hi Pablo,

I just noticed net-next.git already got net.git merged and contains
Felix's DNAT fix.

Just letting you know, in case you have a moment to look at remaining
patches. Thanks a lot for taking care of Felix's work! I'm really
excited about this feature hitting OpenWrt/LEDE :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
nevola March 13, 2018, 7:51 a.m. UTC | #4 
On Tue, Mar 13, 2018 at 7:16 AM, Rafał Miłecki <zajec5@gmail.com> wrote:
> On Mon, 5 Mar 2018 23:11:38 +0100, Pablo Neira Ayuso wrote:
>> On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote:
>> > Fixes issues with connections hanging after >30 seconds idle time.
>> >
>> > Changes since v2:
>> > - Include the previous patch series
>> > - Rebase to current nf.git
>> > - Provide longer description for the teardown state and the changes
>> >   for passing flows back to the slow path
>> >
>> > Changes since v1:
>> > - Fix up connection tracking state earlier to improve processing of TCP
>> >   FIN/RST that trigger the bump to the slow path.
>> > - Fix the value of ct->proto.tcp.state, reset the window values to force
>> >   the tcp window check to resync
>>
>> Series applied, thanks Felix.
>
> Hi Pablo,
>
> I just noticed net-next.git already got net.git merged and contains
> Felix's DNAT fix.
>
> Just letting you know, in case you have a moment to look at remaining
> patches. Thanks a lot for taking care of Felix's work! I'm really
> excited about this feature hitting OpenWrt/LEDE :)

+1
Great work guys!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso April 26, 2018, 10:01 p.m. UTC | #5 
On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote:
> Fixes issues with connections hanging after >30 seconds idle time.
> 
> Changes since v2:
> - Include the previous patch series
> - Rebase to current nf.git
> - Provide longer description for the teardown state and the changes
>   for passing flows back to the slow path
> 
> Changes since v1:
> - Fix up connection tracking state earlier to improve processing of TCP
>   FIN/RST that trigger the bump to the slow path.
> - Fix the value of ct->proto.tcp.state, reset the window values to force
>   the tcp window check to resync
> - Add a checksum fix for DNAT

Series applied, thanks Felix.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html