ACK: [SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: netfilter: conntrack: Check offload bit on table dump

[Kleber Souza]

On 24.05.21 21:12, Daniel Jurgens wrote:
> From: Roi Dayan <roid at nvidia.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1929458
> 
> If the conntrack entry is owned by the flow table offload infrastructure
> then don't do garbage collect when dumping the entries.
> The entry offload timeout might not be updated as the flow timeout being
> updated.
> 
> To reproduce the issue we can do conntrack -L or cat
> /proc/net/nf_conntrack while rules being offloaded.
> Sometimes rules will get deleted because ct timeout expired.
> So check the offload bit like gc_worker() as others loops does.
> 
> This is not a final fix and still being investigated why ct initial timeout
> was not enough before offload path updated the ct timeout to a day.
> 
> Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit")
> Signed-off-by: Roi Dayan <roid at nvidia.com>
> Signed-off-by: Daniel Jurgens <danielj at nvidia.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

Thanks

> ---
>   include/net/netfilter/nf_conntrack.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
> index c7bfddf..4f51b62 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -276,7 +276,7 @@ static inline bool nf_ct_is_expired(const struct nf_conn *ct)
>   static inline bool nf_ct_should_gc(const struct nf_conn *ct)
>   {
>   	return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) &&
> -	       !nf_ct_is_dying(ct);
> +	       !nf_ct_is_dying(ct) && !test_bit(IPS_OFFLOAD_BIT, &ct->status);
>   }
>   
>   #define	NF_CT_DAY	(86400 * HZ)
>