LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: [PATCH] ipvs: fix ipv6 icmp forwarding in natted services

To: Art -kwaak- van Breemen <ard@xxxxxxxxxxxxxxx>
Subject: Re: [PATCH] ipvs: fix ipv6 icmp forwarding in natted services
Cc: Ansis Atteka <aatteka@xxxxxxxxxx>, Julian Anastasov <ja@xxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, Jesper Dangaard Brouer <brouer@xxxxxxxxxx>
From: Hans Schillstrom <hans@xxxxxxxxxxxxxxx>
Date: Wed, 19 Feb 2014 21:28:38 +0100
Hello

On Wed, 2014-02-19 at 18:05 +0100, Art -kwaak- van Breemen wrote:
> Hi Hans,
> 
> On Wed, Feb 19, 2014 at 05:04:17PM +0100, Hans Schillstrom wrote:
> > The problem is if icmp6 is not the first header it will not work...
> > i.e. it can be other headers before icmp and if you have -1 you will not
> > always get the icmp header.
> 
> Ah bah, I thought they move every extra header after the payload.
> 
> > The patch that broke it was:
> > commit 9195bb8e381d81d5a315f911904cdf0cfcc919b8
> > Author: Ansis Atteka <aatteka@xxxxxxxxxx>
> 
> I will take a hard look into that one :-).
> 
> > --- a/net/ipv6/exthdrs_core.c     2014-02-19 16:36:22.031686037 +0100
> > +++ b/net/ipv6/exthdrs_core.c     2014-02-19 16:37:28.838082168 +0100
> 
> If I patch my kernel:
> ard@freeze8dev:/mnt/source/kernels/build-hp-ws/l-3.13.3$ diff -u 
> net/netfilter/ipvs/ip_vs_core.c{.org,} ;diff -u net/ipv6/exthdrs_core.c{.org,}
> --- net/netfilter/ipvs/ip_vs_core.c.org 2014-01-22 14:46:53.222738221 +0100
> +++ net/netfilter/ipvs/ip_vs_core.c     2014-02-19 17:48:09.306379357 +0100
> @@ -735,7 +735,10 @@
>         struct ipv6hdr *ciph;
>         unsigned short fragoffs;
>  
> -       ipv6_find_hdr(skb, &icmp_offset, IPPROTO_ICMPV6, &fragoffs, NULL);
> +       EnterFunction(10);
> +       protocol=ipv6_find_hdr(skb, &icmp_offset, IPPROTO_ICMPV6, &fragoffs, 
> NULL);
> +       //ipv6_find_hdr(skb, &icmp_offset, -1, &fragoffs, NULL);
> +       IP_VS_DBG(15,"icmp_offset=%d,protocol=%d\n",icmp_offset,protocol);
>         icmph = (struct icmp6hdr *)(skb_network_header(skb) + icmp_offset);
>         offs = icmp_offset + sizeof(struct icmp6hdr);
>         ciph = (struct ipv6hdr *)(skb_network_header(skb) + offs);
> @@ -780,6 +783,7 @@
>                 IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
>                               (void *)ciph - (void *)iph,
>                               "Forwarding altered incoming ICMPv6");
> +       LeaveFunction(10);
>  }
>  #endif
>  
> --- net/ipv6/exthdrs_core.c.org 2013-11-06 13:32:34.653688901 +0100
> +++ net/ipv6/exthdrs_core.c     2014-02-19 17:49:38.771351902 +0100
> @@ -211,6 +211,8 @@
>                 unsigned int hdrlen;
>                 found = (nexthdr == target);
>  
> +               if (found && (target > 0))
> +                       break;
>                 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
>                         if (target < 0)
>                                 break;
> 
> I get this again:
> Feb 19 18:02:36 c43236 kernel: [106578.432947] IPVS: Enter: ip_vs_out, 
> net/netfilter/ipvs/ip_vs_core.c line 1120
> Feb 19 18:02:36 c43236 kernel: [106578.432950] IPVS: Outgoing ICMPv6 (2,0) 
> 2001:7b8:2ff:6f::1->2a02:310:0:1013::1005
> Feb 19 18:02:36 c43236 kernel: [106578.432954] IPVS: lookup/out TCP 
> [2001:7b8:32d:0:1864:b6ff:febf:3636]:39993->[2a02:310:0:1013::1005]:80 not hit
> Feb 19 18:02:36 c43236 kernel: [106578.432956] IPVS: Incoming ICMPv6 (2,0) 
> 2001:7b8:2ff:6f::1->2a02:310:0:1013::1005
> Feb 19 18:02:36 c43236 kernel: [106578.432960] IPVS: lookup/in TCP 
> [2001:7b8:32d:0:1864:b6ff:febf:3636]:39993->[2a02:310:0:1013::1005]:80 hit
> Feb 19 18:02:36 c43236 kernel: [106578.432962] IPVS: Enter: 
> ip_vs_icmp_xmit_v6, net/netfilter/ipvs/ip_vs_xmit.c line 1186
> Feb 19 18:02:36 c43236 kernel: [106578.432964] IPVS: Enter: 
> ip_vs_nat_icmp_v6, net/netfilter/ipvs/ip_vs_core.c line 738
> Feb 19 18:02:36 c43236 kernel: [106578.432965] IPVS: icmp_offset=0,protocol=-2

This one bothers me,
Why does it returns -ENOENT ???

When enter ipv6_find_hdr() the initial nexthdr should be 0x3a ICMPv6 
  u8 nexthdr = ipv6_hdr(skb)->nexthdr;
and target also 0x3a i.e. found is true and target > 0
 then break and return 3a

That didn't happen  why ?
 - Just a check did you rebuild ipv6 or if not a module the kernel ? 


> Feb 19 18:02:36 c43236 kernel: [106578.432966] IPv6 header not found
> Feb 19 18:02:36 c43236 kernel: [106578.432969] IPVS: Leave: 
> ip_vs_nat_icmp_v6, net/netfilter/ipvs/ip_vs_core.c line 786
> Feb 19 18:02:36 c43236 kernel: [106578.432974] IPVS: Leave: 
> ip_vs_icmp_xmit_v6, net/netfilter/ipvs/ip_vs_xmit.c line 1263
> 
> I will take a closer look...
> 
> Regards,
> Ard
> 
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

<Prev in Thread] Current Thread [Next in Thread>