Thread (10 messages) 10 messages, 2 authors, 2022-11-02

Re: [PATCH] Periodically flow expire from flow offload tables

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2022-10-25 11:05:30
Also in: linux-doc, lkml, netfilter-devel

Hi,

On Sun, Oct 23, 2022 at 07:16:58PM +0200, Michael Lilja wrote:
When a flow is added to a flow table for offload SW/HW-offload
the user has no means of controlling the flow once it has
been offloaded. If a number of firewall rules has been made using
time schedules then these rules doesn't apply for the already
offloaded flows. Adding new firewall rules also doesn't affect
already offloaded flows.

This patch handle flow table retirement giving the user the option
to at least periodically get the flow back into control of the
firewall rules so already offloaded flows can be dropped or be
pushed back to flow offload tables.

The flow retirement is disabled by default and can be set in seconds
using sysctl -w net.netfilter.nf_flowtable_retire
How does your ruleset look like? Could you detail your usecase?

Thanks.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help