From bebafa72a982784164a7d556bd860ec0ed1e02c7 Mon Sep 17 00:00:00 2001
From: Yumei Huang <yuhuang@redhat.com>
Date: Sat, 14 Feb 2026 15:31:36 +0800
Subject: udp: Split activity timeouts for UDP flows

Frequent DNS queries over UDP from a container or guest can result
in many sockets shown in ss(8), typically one per flow. This is
expected and harmless, but it can make the output of ss(8) look
noisy and potentially concern users.

This patch splits UDP flow timeouts into two, mirroring the Linux
kernel, and sources the values from kernel parameters. The shorter
timeout is applied to unidirectional flows and minimal bidirectional
exchanges (single datagram and reply), while the longer timeout is
used for bidirectional flows with multiple datagrams on either side.

Link: https://bugs.passt.top/show_bug.cgi?id=197
Suggested-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/passt | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'contrib')

diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index 0ffadaf..85bd1ee 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -41,6 +41,10 @@
   @{PROC}/sys/net/ipv4/tcp_syn_linear_timeouts r,
   @{PROC}/sys/net/ipv4/tcp_rto_max_ms r,
 
+  # udp_get_timeout_params(), udp.c
+  @{PROC}/sys/net/netfilter/nf_conntrack_udp_timeout r,
+  @{PROC}/sys/net/netfilter/nf_conntrack_udp_timeout_stream r,
+
   network netlink raw,				# nl_sock_init_do(), netlink.c
 
   network inet stream,				# tcp.c
-- 
cgit v1.2.3