1. 28 Sep, 2012 1 commit
    • Jesper Dangaard Brouer's avatar
      ipvs: Fix faulty IPv6 extension header handling in IPVS · 63dca2c0
      Jesper Dangaard Brouer authored
      IPv6 packets can contain extension headers, thus its wrong to assume
      that the transport/upper-layer header, starts right after (struct
      ipv6hdr) the IPv6 header.  IPVS uses this false assumption, and will
      write SNAT & DNAT modifications at a fixed pos which will corrupt the
      message.
      
      To fix this, proper header position must be found before modifying
      packets.  Introducing ip_vs_fill_iph_skb(), which uses ipv6_find_hdr()
      to skip the exthdrs. It finds (1) the transport header offset, (2) the
      protocol, and (3) detects if the packet is a fragment.
      
      Note, that fragments in IPv6 is represented via an exthdr.  Thus, this
      is detected while skipping through the exthdrs.
      
      This patch depends on commit 84018f55
      
      :
       "netfilter: ip6_tables: add flags parameter to ipv6_find_hdr()"
      This also adds a dependency to ip6_tables.
      
      Originally based on patch from: Hans Schillstrom
      
      kABI notes:
      Changing struct ip_vs_iphdr is a potential minor kABI breaker,
      because external modules can be compiled with another version of
      this struct.  This should not matter, as they would most-likely
      be using a compiled-in version of ip_vs_fill_iphdr().  When
      recompiled, they will notice ip_vs_fill_iphdr() no longer exists,
      and they have to used ip_vs_fill_iph_skb() instead.
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      63dca2c0
  2. 30 Apr, 2012 1 commit
  3. 01 Nov, 2011 1 commit
  4. 31 Mar, 2011 1 commit
  5. 03 Feb, 2011 1 commit
  6. 13 Jan, 2011 7 commits
  7. 25 Nov, 2010 1 commit
    • Hans Schillstrom's avatar
      IPVS: Handle Scheduling errors. · a5959d53
      Hans Schillstrom authored
      
      
      If ip_vs_conn_fill_param_persist return an error to ip_vs_sched_persist,
      this error must propagate as ignored=-1 to ip_vs_schedule().
      Errors from ip_vs_conn_new() in ip_vs_sched_persist() and ip_vs_schedule()
      should also return *ignored=-1;
      
      This patch just relies on the fact that ignored is 1 before calling
      ip_vs_sched_persist().
      
      Sent from Julian:
        "The new case when ip_vs_conn_fill_param_persist fails
         should set *ignored = -1, so that we can use NF_DROP,
         see below. *ignored = -1 should be also used for ip_vs_conn_new
         failure in ip_vs_sched_persist() and ip_vs_schedule().
         The new negative value should be handled in tcp,udp,sctp"
      
      "To summarize:
      
      - *ignored = 1:
            protocol tried to schedule (eg. on SYN), found svc but the
            svc/scheduler decides that this packet should be accepted with
            NF_ACCEPT because it must not be scheduled.
      
      - *ignored = 0:
            scheduler can not find destination, so try bypass or
            return ICMP and then NF_DROP (ip_vs_leave).
      
      - *ignored = -1:
            scheduler tried to schedule but fatal error occurred, eg.
            ip_vs_conn_new failure (ENOMEM) or ip_vs_sip_fill_param
            failure such as missing Call-ID, ENOMEM on skb_linearize
            or pe_data. In this case we should return NF_DROP without
            any attempts to send ICMP with ip_vs_leave."
      
      More or less all ideas and input to this patch is work from
      Julian Anastasov
      Signed-off-by: default avatarHans Schillstrom <hans.schillstrom@ericsson.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      a5959d53
  8. 21 Oct, 2010 2 commits
    • Julian Anastasov's avatar
      ipvs: provide address family for debugging · 0d79641a
      Julian Anastasov authored
      
      
       	As skb->protocol is not valid in LOCAL_OUT add
      parameter for address family in packet debugging functions.
      Even if ports are not present in AH and ESP change them to
      use ip_vs_tcpudp_debug_packet to show at least valid addresses
      as before. This patch removes the last user of skb->protocol
      in IPVS.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      0d79641a
    • Julian Anastasov's avatar
      ipvs: do not schedule conns from real servers · 190ecd27
      Julian Anastasov authored
      
      
       	This patch is needed to avoid scheduling of
      packets from local real server when we add ip_vs_in
      in LOCAL_OUT hook to support local client.
      
       	Currently, when ip_vs_in can not find existing
      connection it tries to create new one by calling ip_vs_schedule.
      
       	The default indication from ip_vs_schedule was if
      connection was scheduled to real server. If real server is
      not available we try to use the bypass forwarding method
      or to send ICMP error. But in some cases we do not want to use
      the bypass feature. So, add flag 'ignored' to indicate if
      the scheduler ignores this packet.
      
       	Make sure we do not create new connections from replies.
      We can hit this problem for persistent services and local real
      server when ip_vs_in is added to LOCAL_OUT hook to handle
      local clients.
      
       	Also, make sure ip_vs_schedule ignores SYN packets
      for Active FTP DATA from local real server. The FTP DATA
      connection should be created on SYN+ACK from client to assign
      correct connection daddr.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      190ecd27
  9. 05 Oct, 2010 1 commit
  10. 02 Aug, 2010 1 commit
  11. 09 Jul, 2010 1 commit
  12. 18 Feb, 2010 1 commit