bugzilla-daemon at netfilter.org
2023-May-16 00:00 UTC
[Bug 1680] New: Trying to delete offloaded flow with conntrack results in EBUSY
https://bugzilla.netfilter.org/show_bug.cgi?id=1680
Bug ID: 1680
Summary: Trying to delete offloaded flow with conntrack results
in EBUSY
Product: nftables
Version: unspecified
Hardware: All
OS: other
Status: NEW
Severity: major
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: demiobenour at gmail.com
If I am using a flowtable to accelerate forwarding and try to use conntrack to
delete the offloaded flows, conntrack fails with EBUSY. This is a problem if
the purpose of deleting the flows is to enforce changed firewall rules.
This was found while investigating
https://github.com/QubesOS/qubes-issues/issues/8212 (found by Marek
Marczykowski-G?recki).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230516/327163a3/attachment.html>
bugzilla-daemon at netfilter.org
2023-May-18 10:56 UTC
[Bug 1680] Trying to delete offloaded flow with conntrack results in EBUSY
https://bugzilla.netfilter.org/show_bug.cgi?id=1680
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
There is a kernel patch to allow for this, starting 6.3
commit 9b7c68b3911aef84afa4cbfc31bce20f10570d51
Author: Paul Blakey <paulb at nvidia.com>
Date: Wed Mar 22 09:35:32 2023 +0200
netfilter: ctnetlink: Support offloaded conntrack entry deletion
Currently, offloaded conntrack entries (flows) can only be deleted
after they are removed from offload, which is either by timeout,
tcp state change or tc ct rule deletion. This can cause issues for
users wishing to manually delete or flush existing entries.
Support deletion of offloaded conntrack entries.
Example usage:
# Delete all offloaded (and non offloaded) conntrack entries
# whose source address is 1.2.3.4
$ conntrack -D -s 1.2.3.4
# Delete all entries
$ conntrack -F
it should be possible to cherry-pick it to earlier kernel versions.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230518/f2a05f43/attachment.html>
bugzilla-daemon at netfilter.org
2023-May-18 10:58 UTC
[Bug 1680] Trying to delete offloaded flow with conntrack results in EBUSY
https://bugzilla.netfilter.org/show_bug.cgi?id=1680 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- Side note: This removes the entry from the flowtable as soon as garbage collector has a chance to run. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230518/6f87f5b6/attachment.html>
bugzilla-daemon at netfilter.org
2023-May-18 23:31 UTC
[Bug 1680] Trying to delete offloaded flow with conntrack results in EBUSY
https://bugzilla.netfilter.org/show_bug.cgi?id=1680 --- Comment #3 from Demi M. Obenour <demiobenour at gmail.com> --- (In reply to Pablo Neira Ayuso from comment #1)> There is a kernel patch to allow for this, starting 6.3 > > commit 9b7c68b3911aef84afa4cbfc31bce20f10570d51 > Author: Paul Blakey <paulb at nvidia.com> > Date: Wed Mar 22 09:35:32 2023 +0200 > > netfilter: ctnetlink: Support offloaded conntrack entry deletion > > Currently, offloaded conntrack entries (flows) can only be deleted > after they are removed from offload, which is either by timeout, > tcp state change or tc ct rule deletion. This can cause issues for > users wishing to manually delete or flush existing entries. > > Support deletion of offloaded conntrack entries. > > Example usage: > # Delete all offloaded (and non offloaded) conntrack entries > # whose source address is 1.2.3.4 > $ conntrack -D -s 1.2.3.4 > # Delete all entries > $ conntrack -F > > it should be possible to cherry-pick it to earlier kernel versions.Should this patch be backported to stable releases? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230518/a601f87c/attachment.html>
bugzilla-daemon at netfilter.org
2023-Jun-01 19:40 UTC
[Bug 1680] Trying to delete offloaded flow with conntrack results in EBUSY
https://bugzilla.netfilter.org/show_bug.cgi?id=1680
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Demi M. Obenour from comment #3)> (In reply to Pablo Neira Ayuso from comment #1)
> Should this patch be backported to stable releases?
This patch has been scheduled for the next -stable release.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230601/dbe8b316/attachment.html>