diff mbox series

[nf-next,7/7] netfilter: nft_flow_offload: do not remove flowtable entry for fin packets

Message ID 20240924194419.29936-8-fw@strlen.de
State New
Headers show
Series netfilter: rework conntrack/flowtable interaction | expand

Commit Message

Florian Westphal Sept. 24, 2024, 7:44 p.m. UTC
Treat fin packets like tcp packets with IP options or packets that would
need fragmentation: pass them to slow path, but keep the flowtable entry
around.

This allows to keep connections where one peer closes early but keeps
receiving data for a long time in forwarding fast path.

Conntrack should be moving the nf_conn entry towards a much lower
timeout, (default fin_wait 2 minutes).

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_flow_table_ip.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 98edcaa37b38..94d83003acf0 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -28,11 +28,14 @@  static int nf_flow_state_check(struct flow_offload *flow, int proto,
 		return 0;
 
 	tcph = (void *)(skb_network_header(skb) + thoff);
-	if (unlikely(tcph->fin || tcph->rst)) {
+	if (unlikely(tcph->rst)) {
 		flow_offload_teardown(flow);
 		return -1;
 	}
 
+	if (unlikely(tcph->fin))
+		return -1;
+
 	return 0;
 }