Re: [PATCH] Periodically flow expire from flow offload tables
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2022-10-25 11:05:30
Also in:
linux-doc, lkml, netfilter-devel
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2022-10-25 11:05:30
Also in:
linux-doc, lkml, netfilter-devel
Hi, On Sun, Oct 23, 2022 at 07:16:58PM +0200, Michael Lilja wrote:
When a flow is added to a flow table for offload SW/HW-offload the user has no means of controlling the flow once it has been offloaded. If a number of firewall rules has been made using time schedules then these rules doesn't apply for the already offloaded flows. Adding new firewall rules also doesn't affect already offloaded flows. This patch handle flow table retirement giving the user the option to at least periodically get the flow back into control of the firewall rules so already offloaded flows can be dropped or be pushed back to flow offload tables. The flow retirement is disabled by default and can be set in seconds using sysctl -w net.netfilter.nf_flowtable_retire
How does your ruleset look like? Could you detail your usecase? Thanks.