mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 13:53:33 +00:00
Code Issues Releases Wiki Activity
linux-stable/Documentation/networking
History
Xin Long c050b4c998 netfilter: set default timeout to 3 secs for sctp shutdown send and recv state 
[ Upstream commit 9bfab6d23a ]

In SCTP protocol, it is using the same timer (T2 timer) for SHUTDOWN and
SHUTDOWN_ACK retransmission. However in sctp conntrack the default timeout
value for SCTP_CONNTRACK_SHUTDOWN_ACK_SENT state is 3 secs while it's 300
msecs for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV state.

As Paolo Valerio noticed, this might cause unwanted expiration of the ct
entry. In my test, with 1s tc netem delay set on the NAT path, after the
SHUTDOWN is sent, the sctp ct entry enters SCTP_CONNTRACK_SHUTDOWN_SEND
state. However, due to 300ms (too short) delay, when the SHUTDOWN_ACK is
sent back from the peer, the sctp ct entry has expired and been deleted,
and then the SHUTDOWN_ACK has to be dropped.

Also, it is confusing these two sysctl options always show 0 due to all
timeout values using sec as unit:

  net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
  net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0

This patch fixes it by also using 3 secs for sctp shutdown send and recv
state in sctp conntrack, which is also RTO.initial value in SCTP protocol.

Note that the very short time value for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV
was probably used for a rare scenario where SHUTDOWN is sent on 1st path
but SHUTDOWN_ACK is replied on 2nd path, then a new connection started
immediately on 1st path. So this patch also moves from SHUTDOWN_SEND/RECV
to CLOSE when receiving INIT in the ORIGINAL direction.

Fixes: 9fb9cbb108 ("[NETFILTER]: Add nf_conntrack subsystem.")
Reported-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-08-23 17:32:46 +02:00
..
caif
device_drivers
devlink
dsa
mac80211_hwsim
6lowpan.rst
6pack.rst
af_xdp.rst
alias.rst
arcnet-hardware.rst
arcnet.rst
atm.rst
ax25.rst
bareudp.rst
batman-adv.rst
bonding.rst
bridge.rst
can.rst
can_ucan_protocol.rst
cdc_mbim.rst
checksum-offloads.rst
dccp.rst
dctcp.rst
dns_resolver.rst
driver.rst
eql.rst
ethtool-netlink.rst
failover.rst
fib_trie.rst
filter.rst
gen_stats.rst
generic-hdlc.rst
generic_netlink.rst
gtp.rst
ieee802154.rst
ila.rst
index.rst
ioam6-sysctl.rst
ip-sysctl.rst
ip_dynaddr.rst
ipddp.rst
ipsec.rst
ipv6.rst
ipvlan.rst
ipvs-sysctl.rst
j1939.rst
kapi.rst
kcm.rst
l2tp.rst
lapb-module.rst
mac80211-auth-assoc-deauth.txt
mac80211-injection.rst
mctp.rst
mpls-sysctl.rst
mptcp-sysctl.rst
msg_zerocopy.rst
multiqueue.rst
napi.rst
net_dim.rst
net_failover.rst
netconsole.rst
netdev-features.rst
netdevices.rst
netfilter-sysctl.rst
netif-msg.rst
nexthop-group-resilient.rst
nf_conntrack-sysctl.rst
nf_flowtable.rst
nfc.rst
openvswitch.rst
operstates.rst
packet_mmap.rst
page_pool.rst
phonet.rst
phy.rst
pktgen.rst
plip.rst
ppp_generic.rst
proc_net_tcp.rst
radiotap-headers.rst
rds.rst
regulatory.rst
representors.rst
rxrpc.rst
scaling.rst
sctp.rst
secid.rst
seg6-sysctl.rst
segmentation-offloads.rst
sfp-phylink.rst
skbuff.rst
smc-sysctl.rst
snmp_counter.rst
statistics.rst
strparser.rst
switchdev.rst
sysfs-tagging.rst
tc-actions-env-rules.rst
tc-queue-filters.rst
tcp-thin.rst
team.rst
timestamping.rst
tipc.rst
tls-handshake.rst
tls-offload-layers.svg
tls-offload-reorder-bad.svg
tls-offload-reorder-good.svg
tls-offload.rst
tls.rst
tproxy.rst
tuntap.rst
udplite.rst
vrf.rst
vxlan.rst
x25-iface.rst
x25.rst
xdp-rx-metadata.rst
xfrm_device.rst
xfrm_proc.rst
xfrm_sync.rst
xfrm_sysctl.rst