netfilter: conntrack: udp: only extend timeout to stream mode after 2s - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Florian Westphal <fw@strlen.de>	2018-12-06 13:50:49 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-12-21 02:48:38 +0300
commit	d535c8a69c1924e70186d80be0a9cecaf475f166 (patch)
tree	8934ce1d48533bcf4f40c3381bd3630d6189e9f0 /Documentation/networking/nf_conntrack-sysctl.txt
parent	06aa151ad1fc74a49b45336672515774a678d78d (diff)
download	linux-d535c8a69c1924e70186d80be0a9cecaf475f166.tar.xz

netfilter: conntrack: udp: only extend timeout to stream mode after 2s

Currently DNS resolvers that send both A and AAAA queries from same source port can trigger stream mode prematurely, which results in non-early-evictable conntrack entry for three minutes, even though DNS requests are done in a few milliseconds. Add a two second grace period where we continue to use the ordinary 30-second default timeout. Its enough for DNS request/response traffic, even if two request/reply packets are involved. ASSURED is still set, else conntrack (and thus a possible NAT mapping ...) gets zapped too in case conntrack table runs full. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'Documentation/networking/nf_conntrack-sysctl.txt')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: