From: Jason Xing <kerneljasonxing@gmail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
edumazet@google.com, Florian Westphal <fw@strlen.de>,
kuba@kernel.org, pabeni@redhat.com,
David Miller <davem@davemloft.net>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, Jason Xing <kernelxing@tencent.com>
Subject: Re: [PATCH nf-next v2] netfilter: conntrack: avoid sending RST to reply out-of-window skb
Date: Sat, 23 Mar 2024 08:25:55 +0800 [thread overview]
Message-ID: <CAL+tcoCe6YFOWOYvdu1UH+kHRYPEmfphOJzB0BcVR-HER0GZ8g@mail.gmail.com> (raw)
In-Reply-To: <b1b95a71-a4e8-288c-7731-811ad548d641@blackhole.kfki.hu>
> I understand and appreciate your efforts. But please consider the case
> when one have to diagnose a failing connection and conntrack drops
> packets. What should be suspected? Firewall rules? One can enable TRACE
> and check which rules are hit - but because conntrack drops packet,
> nothing is shown there. Enable and check conntrack events? Because the
> packets are INVALID, checking the events does not help either. Only when
> one runs tcpdump and compares it with the TRACE/NFLOG/LOG entries can one
> spot that some packets "disappeared".
>
> Compare the whole thing with the case when packets are not dropped
> silently but can be logged via checking the INVALID flag. One can directly
> tell that conntrack could not handle the packets and can see all packet
> parameters.
Thanks for explaining such importance about why not drop silently. Now
I can see :)
In my first version, I didn't drop it directly but let it go without
clearing skb->_nfct fields and then let the TCP layer handle it. As
you said, the out-of-window case is just one of some INVALID cases
which could also cause RST behaviour, so it seems that the first
version doesn't handle it well either. It has to take all INVALID
cases into account...
Is there anything left I can do like particular tracepoints something
like this? No idea. I only hope somebody who encounters such an issue
can notice this behaviour effortlessly :)
Thanks,
Jason
>
> Best regards,
> Jozsef
prev parent reply other threads:[~2024-03-23 0:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 7:05 [PATCH nf-next v2] netfilter: conntrack: avoid sending RST to reply out-of-window skb Jason Xing
2024-03-12 12:24 ` Florian Westphal
2024-03-13 2:24 ` Jason Xing
2024-03-18 20:16 ` Simon Horman
2024-03-19 2:52 ` Jason Xing
2024-03-19 18:46 ` Simon Horman
2024-03-21 21:06 ` Pablo Neira Ayuso
2024-03-22 1:06 ` Jason Xing
2024-03-22 10:40 ` Pablo Neira Ayuso
2024-03-22 10:50 ` Jozsef Kadlecsik
2024-03-22 11:07 ` Jason Xing
2024-03-22 20:16 ` Jozsef Kadlecsik
2024-03-23 0:25 ` Jason Xing [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAL+tcoCe6YFOWOYvdu1UH+kHRYPEmfphOJzB0BcVR-HER0GZ8g@mail.gmail.com \
--to=kerneljasonxing@gmail.com \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=kernelxing@tencent.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).