On Wed, May 28, 2025 at 8:31 PM Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > On Wed, May 28, 2025 at 8:15 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > > > Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > > > And I don't see how you can encounter a DNS reply before at least one > > > > request has been committed to the table -- i.e., the conntrack being > > > > confirmed here should not exist -- the packet should have been picked up > > > > as a reply packet. > > > > > > We've been able to consistently reproduce this behavior. Would you > > > have any recommended debugging approaches we could try? > > > > Can you figure out why nf_ct_resolve_clash_harder() doesn't handle the > > clash? > > I will try it. After tracing with bpftrace, I found that the __nf_ct_resolve_clash() function returns NF_DROP. Should I provide any additional details? > > > > > AFAIU reply tuple is identical while original isn't. It would be good > > to confirm. If they were the same, I'd have expected > > nf_ct_resolve_clash_harder() to merge the conntracks (nf_ct_can_merge() > > branch in __nf_ct_resolve_clash). > > > > Could you also dump/show the origin and reply tuples for the existing > > entry and the clashing (new) entry? > > Original 6.1.y Kernel (Unmodified) , there are two entries: > $ cat /proc/net/nf_conntrack| grep 10.242.249.78 > ipv4 2 udp 17 119 src=10.242.249.78 dst=169.254.1.2 > sport=49469 dport=53 src=127.0.0.1 dst=10.242.249.78 sport=53 > dport=49469 [ASSURED] mark=0 zone=0 use=2 > ipv4 2 udp 17 29 src=169.254.1.2 dst=10.242.249.78 sport=53 > dport=49469 [UNREPLIED] src=10.242.249.78 dst=169.254.1.2 sport=49469 > dport=477 mark=0 zone=0 use=2 > > > After applying commit d8f84a9bc7c4, only one entry remains: > $ cat /proc/net/nf_conntrack| grep 10.242.249.78 > ipv4 2 udp 17 106 src=10.242.249.78 dst=169.254.1.2 > sport=34616 dport=53 src=127.0.0.1 dst=10.242.249.78 sport=53 > dport=34616 [ASSURED] mark=0 zone=0 use=2 > > > After the additional custom hack, the entries now show two records: > $ cat /proc/net/nf_conntrack| grep 10.242.249.78 > ipv4 2 udp 17 27 src=169.254.1.2 dst=10.242.249.78 sport=53 > dport=46858 [UNREPLIED] src=10.242.249.78 dst=169.254.1.2 sport=46858 > dport=53 mark=0 zone=0 use=2 > ipv4 2 udp 17 27 src=10.242.249.78 dst=169.254.1.2 > sport=46858 dport=53 src=127.0.0.1 dst=10.242.249.78 sport=53 > dport=46858 mark=0 zone=0 use=2 > > > -- > Regards > Yafang -- Regards Yafang
