Message ID | 20240924194419.29936-8-fw@strlen.de |
---|---|
State | New |
Headers | show |
Series | netfilter: rework conntrack/flowtable interaction | expand |
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 98edcaa37b38..94d83003acf0 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -28,11 +28,14 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto, return 0; tcph = (void *)(skb_network_header(skb) + thoff); - if (unlikely(tcph->fin || tcph->rst)) { + if (unlikely(tcph->rst)) { flow_offload_teardown(flow); return -1; } + if (unlikely(tcph->fin)) + return -1; + return 0; }
Treat fin packets like tcp packets with IP options or packets that would need fragmentation: pass them to slow path, but keep the flowtable entry around. This allows to keep connections where one peer closes early but keeps receiving data for a long time in forwarding fast path. Conntrack should be moving the nf_conn entry towards a much lower timeout, (default fin_wait 2 minutes). Signed-off-by: Florian Westphal <fw@strlen.de> --- net/netfilter/nf_flow_table_ip.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)