[ovs-dev] [PATCH][v2] conntrack: Fix conntrack tw expiration

Li,Rongqing lirongqing at baidu.com
Fri Jan 15 01:28:10 UTC 2021



> -----Original Message-----
> From: Aaron Conole [mailto:aconole at redhat.com]
> Sent: Thursday, January 14, 2021 11:23 PM
> To: Li,Rongqing <lirongqing at baidu.com>
> Cc: ovs-dev at openvswitch.org; William Tu <u9012063 at gmail.com>
> Subject: Re: [ovs-dev] [PATCH][v2] conntrack: Fix conntrack tw expiration
> 
> "Li,Rongqing" <lirongqing at baidu.com> writes:
> 
> >
> >
> >
> >
> >> -----Original Message-----
> >
> >
> >> I think given that, it would be wrong to make any change to the
> >> connection
> >
> >> expiration time in this branch.
> >
> >>
> >
> >> I guess you're hitting the 'loosened connection close' case, which
> >> will not
> >
> >
> >
> >
> >
> > the connection that I see is blow:
> >
> >
> >
> > *
> >
> >
> >
> >
> >
> >> change the TTL and keep the connection in the table longer.  Looking
> >> at other
> >
> >> PF based firewalls, none of them ever update the xon timeout in this
> >
> >> fall-through case (I looked at openbsd, dragonfly bsd, and freebsd).
> >
> >>
> >
> > Is it possible this is a common issue for BSD? I did not find the
> > similar logic in linux
> >
> 
> It is possible that such issues don't impact linux, but it could be for other
> reasons.  If you have a traffic capture that you can post we can look at it.
> Best would be to create a test case using sendpkt.py to send the packets - that
> would demonstrate the issue between the two (and help us to keep it cohesive
> in the future).
> 

Ok, I will try to test it


> I think we do want to keep the datapaths as similar as possible, so I would
> welcome this test to be added.
> 
> >
> >> Have you looked at using the CT timeout policy framework to setup a
> >> timeout
> >
> >
> >
> >
> >
> > What is CT timeout policy? Could you give some links, thanks
> 
> I guess there isn't a whole lot of documentation.  We should fix that.
> 
> From ovs-vsctl(8):
>        [--may-exist] add-zone-tp datapath zone=zone_id policies
>               Creates  a  conntrack  zone timeout policy with zone_id in
> data‐
>               path.  The policies consist of  key=value  pairs,
> separated  by
>               spaces.   For  example,  icmp_first=30 icmp_reply=60
> specifies a
>               30-second timeout policy for the first ICMP packet and a
> 60-sec‐
>               ond  policy  for  ICMP reply packets.  See the
> CT_Timeout_Policy
>               table in ovs-vswitchd.conf.db(5) for the supported keys.
> 
>               Without --may-exist, attempting to add a  zone_id  that
> already
>               exists is an error.  With --may-exist, this command does
> nothing
>               if zone_id already exists.
> 
> From the CT_Timeout_Policy section of ovs-vswitchd.conf.db(5):
> 
> CT_Timeout_Policy TABLE
>        Connection tracking timeout policy configuration
> 
>    Summary:
>        Timeouts:
>          timeouts                    map of string-integer pairs, key
> one  of
>                                      icmp_first,     icmp_reply,
> tcp_close,
>                                      tcp_close_wait,
> tcp_established,
>                                      tcp_fin_wait,  tcp_last_ack,
> tcp_retrans‐
>                                      mit,     tcp_syn_recv,
> tcp_syn_sent2,
>                                      tcp_syn_sent,  tcp_time_wait,
> tcp_unack,
>                                      udp_first, udp_multiple,  or
> udp_single,
>                                      value in range 0 to 4,294,967,295
>          TCP Timeouts:
>             timeouts : tcp_syn_sent  optional   integer,   in   range
> 0   to
>                                      4,294,967,295
>             timeouts : tcp_syn_recv  optional   integer,   in   range
> 0   to
>                                      4,294,967,295
>             timeouts : tcp_established
>                                      optional   integer,   in
> range   0   to
>                                      4,294,967,295
>             timeouts : tcp_fin_wait  optional   integer,   in   range
> 0   to
>                                      4,294,967,295
>             timeouts : tcp_close_wait
>                                      optional   integer,   in
> range   0   to
>                                      4,294,967,295
>             timeouts : tcp_last_ack  optional   integer,   in   range
> 0   to
>                                      4,294,967,295
>             timeouts : tcp_time_wait optional   integer,   in   range
> 0   to
>                                      4,294,967,295
>             timeouts : tcp_close     optional   integer,   in   range
> 0   to
>                                      4,294,967,295
>             timeouts : tcp_syn_sent2 optional   integer,   in   range
> 0   to
>                                      4,294,967,295
>             timeouts : tcp_retransmit
>                                      optional   integer,   in
> range   0   to
>                                      4,294,967,295
>             timeouts : tcp_unack     optional   integer,   in   range
> 0   to
>                                      4,294,967,295
> 
>   ....
> 
> As an example (just illustration - I didn't test any of this):
> 
>   ovs-vsctl --may-exist add-zone-tp netdev zone=0 tcp_time_wait=30 \
>   tcp_close=30 tcp_last_ack=30 tcp_fin_wait=30
> 

I see, Thank you

-Li 
> >
> >
> > Thanks
> >
> >
> >
> > -Li



More information about the dev mailing list