lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180720133205.nwzir6bro4yd4pjq@breakpoint.cc>
Date:   Fri, 20 Jul 2018 15:32:05 +0200
From:   Florian Westphal <fw@...len.de>
To:     Felix Fietkau <nbd@....name>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org
Subject: Re: [PATCH 02/38] netfilter: flowtables: use fixed renew timeout on
 teardown

Felix Fietkau <nbd@....name> wrote:
> On 2018-07-20 15:08, Pablo Neira Ayuso wrote:
> > From: Florian Westphal <fw@...len.de>
> > 
> > This is one of the very few external callers of ->get_timeouts(),
> > 
> > We can use a fixed timeout instead, conntrack core will refresh this in
> > case a new packet comes within this period.
> > 
> > Use of ESTABLISHED timeout seems way too huge anyway.
> It seems to me that this could easily break long-lived connections that
> are idle most of the time.

Problem is that we don't know state of connection, since it was
offloaded.

We don't know if connection 'died' with unacked data (short default
timeout) or not (long default timeout).

So I would prefer to err on the 'evict idle connection that had no
keepalives early' side rather than the 'add dead connection hanging
around forever'.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ