| Message ID | 1621883569-33343-1-git-send-email-danielj@nvidia.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,F:linux-bluefield] UBUNTU: SAUCE: netfilter: conntrack: Check offload bit on table dump | expand |
On 24/05/2021 15:12, Daniel Jurgens wrote: > From: Roi Dayan <roid@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1929458 > > If the conntrack entry is owned by the flow table offload infrastructure > then don't do garbage collect when dumping the entries. > The entry offload timeout might not be updated as the flow timeout being > updated. > > To reproduce the issue we can do conntrack -L or cat > /proc/net/nf_conntrack while rules being offloaded. > Sometimes rules will get deleted because ct timeout expired. > So check the offload bit like gc_worker() as others loops does. > > This is not a final fix and still being investigated why ct initial timeout > was not enough before offload path updated the ct timeout to a day. > > Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit") > Signed-off-by: Roi Dayan <roid@nvidia.com> > Signed-off-by: Daniel Jurgens <danielj@nvidia.com> > --- Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Best regards, Krzysztof
On 24.05.21 21:12, Daniel Jurgens wrote: > From: Roi Dayan <roid@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1929458 > > If the conntrack entry is owned by the flow table offload infrastructure > then don't do garbage collect when dumping the entries. > The entry offload timeout might not be updated as the flow timeout being > updated. > > To reproduce the issue we can do conntrack -L or cat > /proc/net/nf_conntrack while rules being offloaded. > Sometimes rules will get deleted because ct timeout expired. > So check the offload bit like gc_worker() as others loops does. > > This is not a final fix and still being investigated why ct initial timeout > was not enough before offload path updated the ct timeout to a day. > > Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit") > Signed-off-by: Roi Dayan <roid@nvidia.com> > Signed-off-by: Daniel Jurgens <danielj@nvidia.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > --- > include/net/netfilter/nf_conntrack.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h > index c7bfddf..4f51b62 100644 > --- a/include/net/netfilter/nf_conntrack.h > +++ b/include/net/netfilter/nf_conntrack.h > @@ -276,7 +276,7 @@ static inline bool nf_ct_is_expired(const struct nf_conn *ct) > static inline bool nf_ct_should_gc(const struct nf_conn *ct) > { > return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) && > - !nf_ct_is_dying(ct); > + !nf_ct_is_dying(ct) && !test_bit(IPS_OFFLOAD_BIT, &ct->status); > } > > #define NF_CT_DAY (86400 * HZ) >
Applied to F/bluefield master-next. Thank you! -Kelsey On 2021-05-24 22:12:49 , Daniel Jurgens wrote: > From: Roi Dayan <roid@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1929458 > > If the conntrack entry is owned by the flow table offload infrastructure > then don't do garbage collect when dumping the entries. > The entry offload timeout might not be updated as the flow timeout being > updated. > > To reproduce the issue we can do conntrack -L or cat > /proc/net/nf_conntrack while rules being offloaded. > Sometimes rules will get deleted because ct timeout expired. > So check the offload bit like gc_worker() as others loops does. > > This is not a final fix and still being investigated why ct initial timeout > was not enough before offload path updated the ct timeout to a day. > > Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit") > Signed-off-by: Roi Dayan <roid@nvidia.com> > Signed-off-by: Daniel Jurgens <danielj@nvidia.com> > --- > include/net/netfilter/nf_conntrack.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h > index c7bfddf..4f51b62 100644 > --- a/include/net/netfilter/nf_conntrack.h > +++ b/include/net/netfilter/nf_conntrack.h > @@ -276,7 +276,7 @@ static inline bool nf_ct_is_expired(const struct nf_conn *ct) > static inline bool nf_ct_should_gc(const struct nf_conn *ct) > { > return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) && > - !nf_ct_is_dying(ct); > + !nf_ct_is_dying(ct) && !test_bit(IPS_OFFLOAD_BIT, &ct->status); > } > > #define NF_CT_DAY (86400 * HZ) > -- > 1.8.3.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index c7bfddf..4f51b62 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -276,7 +276,7 @@ static inline bool nf_ct_is_expired(const struct nf_conn *ct) static inline bool nf_ct_should_gc(const struct nf_conn *ct) { return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) && - !nf_ct_is_dying(ct); + !nf_ct_is_dying(ct) && !test_bit(IPS_OFFLOAD_BIT, &ct->status); } #define NF_CT_DAY (86400 * HZ)