<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - New traffic reduces conntrack timeout"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1077">1077</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>New traffic reduces conntrack timeout
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>netfilter/iptables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nf_conntrack
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>netfilter-buglog@lists.netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>zrm@trustiosity.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>The code intended to extend the conntrack timeout in the event of new traffic
doesn't check the existing timeout, so if the existing timeout was already
longer than the default, the timeout is reduced.

Example scenario: Default UDP timeout is three minutes (after SEEN_REPLY). The
timeout for one specific entry is extended to five hours using the conntrack
command or API. Three seconds later new traffic is seen for that entry and the
kernel resets the timeout from 04:59:57 to 00:03:00.

(Actual use case: Implementing RFC6887 PEER command so that e.g. UDP VPN can
reduce keepalives by explicitly requesting a long-lived entry.)

Might only need to check (and then keep the existing value) if existing timeout
is longer than new value in "int [proto]_packet()" in
net/netfilter/nf_conntrack_proto_[proto].c for each protocol.

Alternatively might be easier to do the check in __nf_ct_refresh_acct() in
net/netfilter/nf_conntrack_core.c. But notice that "if (newtime -
ct->timeout.expires >= HZ)" there has an integer underflow when newtime is
smaller than ct->timeout.expires, and some things are currently relying on it,
e.g. in tcp_packet() when a TCP connection coming out of ESTABLISHED has its
timeout reduced.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>