<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - New traffic reduces conntrack timeout"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1077">1077</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>New traffic reduces conntrack timeout

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>netfilter/iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nf_conntrack

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>zrm@trustiosity.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>The code intended to extend the conntrack timeout in the event of new traffic

doesn't check the existing timeout, so if the existing timeout was already

longer than the default, the timeout is reduced.

Example scenario: Default UDP timeout is three minutes (after SEEN_REPLY). The

timeout for one specific entry is extended to five hours using the conntrack

command or API. Three seconds later new traffic is seen for that entry and the

kernel resets the timeout from 04:59:57 to 00:03:00.

(Actual use case: Implementing RFC6887 PEER command so that e.g. UDP VPN can

reduce keepalives by explicitly requesting a long-lived entry.)

Might only need to check (and then keep the existing value) if existing timeout

is longer than new value in "int [proto]_packet()" in

net/netfilter/nf_conntrack_proto_[proto].c for each protocol.

Alternatively might be easier to do the check in __nf_ct_refresh_acct() in

net/netfilter/nf_conntrack_core.c. But notice that "if (newtime -

ct->timeout.expires >= HZ)" there has an integer underflow when newtime is

smaller than ct->timeout.expires, and some things are currently relying on it,

e.g. in tcp_packet() when a TCP connection coming out of ESTABLISHED has its

timeout reduced.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>