提交 617c7456 编写于 作者: F Florian Westphal 提交者: Shile Zhang

netfilter: conntrack: udp: only extend timeout to stream mode after 2s

commit d535c8a69c1924e70186d80be0a9cecaf475f166 upstream

Currently DNS resolvers that send both A and AAAA queries from same source port
can trigger stream mode prematurely, which results in non-early-evictable conntrack entry
for three minutes, even though DNS requests are done in a few milliseconds.

Add a two second grace period where we continue to use the ordinary
30-second default timeout.  Its enough for DNS request/response traffic,
even if two request/reply packets are involved.

ASSURED is still set, else conntrack (and thus a possible
NAT mapping ...) gets zapped too in case conntrack table runs full.
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: NTony Lu <tonylu@linux.alibaba.com>
Acked-by: NDust Li <dust.li@linux.alibaba.com>
上级 96d39291
...@@ -27,12 +27,17 @@ ...@@ -27,12 +27,17 @@
#include <net/netfilter/nf_conntrack_tuple.h> #include <net/netfilter/nf_conntrack_tuple.h>
struct nf_ct_udp {
unsigned long stream_ts;
};
/* per conntrack: protocol private data */ /* per conntrack: protocol private data */
union nf_conntrack_proto { union nf_conntrack_proto {
/* insert conntrack proto private data here */ /* insert conntrack proto private data here */
struct nf_ct_dccp dccp; struct nf_ct_dccp dccp;
struct ip_ct_sctp sctp; struct ip_ct_sctp sctp;
struct ip_ct_tcp tcp; struct ip_ct_tcp tcp;
struct nf_ct_udp udp;
struct nf_ct_gre gre; struct nf_ct_gre gre;
unsigned int tmpl_padto; unsigned int tmpl_padto;
}; };
......
...@@ -54,11 +54,21 @@ static int udp_packet(struct nf_conn *ct, ...@@ -54,11 +54,21 @@ static int udp_packet(struct nf_conn *ct,
if (!timeouts) if (!timeouts)
timeouts = udp_get_timeouts(nf_ct_net(ct)); timeouts = udp_get_timeouts(nf_ct_net(ct));
if (!nf_ct_is_confirmed(ct))
ct->proto.udp.stream_ts = 2 * HZ + jiffies;
/* If we've seen traffic both ways, this is some kind of UDP /* If we've seen traffic both ways, this is some kind of UDP
stream. Extend timeout. */ * stream. Set Assured.
*/
if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
nf_ct_refresh_acct(ct, ctinfo, skb, unsigned long extra = timeouts[UDP_CT_UNREPLIED];
timeouts[UDP_CT_REPLIED]);
/* Still active after two seconds? Extend timeout. */
if (time_after(jiffies, ct->proto.udp.stream_ts))
extra = timeouts[UDP_CT_REPLIED];
nf_ct_refresh_acct(ct, ctinfo, skb, extra);
/* Also, more likely to be important, and not a probe */ /* Also, more likely to be important, and not a probe */
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_ASSURED, ct); nf_conntrack_event_cache(IPCT_ASSURED, ct);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册