diff options
author | Patrick McHardy <kaber@trash.net> | 2008-07-31 03:38:01 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-07-31 03:38:01 -0400 |
commit | ae375044d31075a31de5a839e07ded7f67b660aa (patch) | |
tree | 13f49a97aa48fa8f19cbe7055e0b5e4df3abc462 /net/netfilter | |
parent | a97a6f10771b90235b33c13a6db9279237a08422 (diff) |
netfilter: nf_conntrack_tcp: decrease timeouts while data in unacknowledged
In order to time out dead connections quicker, keep track of outstanding data
and cap the timeout.
Suggested by Herbert Xu.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 420a10d8eb1e..6f61261888ef 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
@@ -67,7 +67,8 @@ static const char *const tcp_conntrack_names[] = { | |||
67 | /* RFC1122 says the R2 limit should be at least 100 seconds. | 67 | /* RFC1122 says the R2 limit should be at least 100 seconds. |
68 | Linux uses 15 packets as limit, which corresponds | 68 | Linux uses 15 packets as limit, which corresponds |
69 | to ~13-30min depending on RTO. */ | 69 | to ~13-30min depending on RTO. */ |
70 | static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; | 70 | static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; |
71 | static unsigned int nf_ct_tcp_timeout_unacknowledged __read_mostly = 5 MINS; | ||
71 | 72 | ||
72 | static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = { | 73 | static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = { |
73 | [TCP_CONNTRACK_SYN_SENT] = 2 MINS, | 74 | [TCP_CONNTRACK_SYN_SENT] = 2 MINS, |
@@ -625,8 +626,10 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
625 | swin = win + (sack - ack); | 626 | swin = win + (sack - ack); |
626 | if (sender->td_maxwin < swin) | 627 | if (sender->td_maxwin < swin) |
627 | sender->td_maxwin = swin; | 628 | sender->td_maxwin = swin; |
628 | if (after(end, sender->td_end)) | 629 | if (after(end, sender->td_end)) { |
629 | sender->td_end = end; | 630 | sender->td_end = end; |
631 | sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; | ||
632 | } | ||
630 | /* | 633 | /* |
631 | * Update receiver data. | 634 | * Update receiver data. |
632 | */ | 635 | */ |
@@ -637,6 +640,8 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
637 | if (win == 0) | 640 | if (win == 0) |
638 | receiver->td_maxend++; | 641 | receiver->td_maxend++; |
639 | } | 642 | } |
643 | if (ack == receiver->td_end) | ||
644 | receiver->flags &= ~IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; | ||
640 | 645 | ||
641 | /* | 646 | /* |
642 | * Check retransmissions. | 647 | * Check retransmissions. |
@@ -951,9 +956,16 @@ static int tcp_packet(struct nf_conn *ct, | |||
951 | if (old_state != new_state | 956 | if (old_state != new_state |
952 | && new_state == TCP_CONNTRACK_FIN_WAIT) | 957 | && new_state == TCP_CONNTRACK_FIN_WAIT) |
953 | ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; | 958 | ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; |
954 | timeout = ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans | 959 | |
955 | && tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans | 960 | if (ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans && |
956 | ? nf_ct_tcp_timeout_max_retrans : tcp_timeouts[new_state]; | 961 | tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans) |
962 | timeout = nf_ct_tcp_timeout_max_retrans; | ||
963 | else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) & | ||
964 | IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED && | ||
965 | tcp_timeouts[new_state] > nf_ct_tcp_timeout_unacknowledged) | ||
966 | timeout = nf_ct_tcp_timeout_unacknowledged; | ||
967 | else | ||
968 | timeout = tcp_timeouts[new_state]; | ||
957 | write_unlock_bh(&tcp_lock); | 969 | write_unlock_bh(&tcp_lock); |
958 | 970 | ||
959 | nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); | 971 | nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); |
@@ -1236,6 +1248,13 @@ static struct ctl_table tcp_sysctl_table[] = { | |||
1236 | .proc_handler = &proc_dointvec_jiffies, | 1248 | .proc_handler = &proc_dointvec_jiffies, |
1237 | }, | 1249 | }, |
1238 | { | 1250 | { |
1251 | .procname = "nf_conntrack_tcp_timeout_unacknowledged", | ||
1252 | .data = &nf_ct_tcp_timeout_unacknowledged, | ||
1253 | .maxlen = sizeof(unsigned int), | ||
1254 | .mode = 0644, | ||
1255 | .proc_handler = &proc_dointvec_jiffies, | ||
1256 | }, | ||
1257 | { | ||
1239 | .ctl_name = NET_NF_CONNTRACK_TCP_LOOSE, | 1258 | .ctl_name = NET_NF_CONNTRACK_TCP_LOOSE, |
1240 | .procname = "nf_conntrack_tcp_loose", | 1259 | .procname = "nf_conntrack_tcp_loose", |
1241 | .data = &nf_ct_tcp_loose, | 1260 | .data = &nf_ct_tcp_loose, |