Re: [PATCH net] ipvs: SNAT packet replies only for NATed connections

To:	Julian Anastasov <ja@xxxxxx>
Subject:	Re: [PATCH net] ipvs: SNAT packet replies only for NATed connections
Cc:	lvs-devel@xxxxxxxxxxxxxxx, Nick Moriarty <nick.moriarty@xxxxxxxxxx>
From:	Simon Horman <horms@xxxxxxxxxxxx>
Date:	Mon, 1 May 2017 11:48:46 +0200

On Mon, May 01, 2017 at 11:28:59AM +0300, Julian Anastasov wrote:
> 
>       Hello,
> 
> On Mon, 1 May 2017, Simon Horman wrote:
> 
> > On Sat, Apr 29, 2017 at 08:33:09PM +0300, Julian Anastasov wrote:
> > > We do not check if packet from real server is for NAT
> > > connection before performing SNAT. This causes problems
> > > for setups that use DR/TUN and allow local clients to
> > > access the real server directly, for example:
> > > 
> > > - local client in director creates IPVS-DR/TUN connection
> > > CIP->VIP and the request packets are routed to RIP.
> > > Talks are finished but IPVS connection is not expired yet.
> > > 
> > > - second local client creates non-IPVS connection CIP->RIP
> > > with same reply tuple RIP->CIP and when replies are received
> > > on LOCAL_IN we wrongly assign them for the first client
> > > connection because RIP->CIP matches the reply direction.
> > > As result, IPVS SNATs replies for non-IPVS connections.
> > > 
> > > The problem is more visible to local UDP clients but in rare
> > > cases it can happen also for TCP or remote clients when the
> > > real server sends the reply traffic via the director.
> > > 
> > > So, better to be more precise for the reply traffic.
> > > As replies are not expected for DR/TUN connections, better
> > > to not touch them.
> > > 
> > > Reported-by: Nick Moriarty <nick.moriarty@xxxxxxxxxx>
> > > Tested-by: Nick Moriarty <nick.moriarty@xxxxxxxxxx>
> > > Signed-off-by: Julian Anastasov <ja@xxxxxx>
> > > ---
> > > 
> > > I know that 4.11 is to be released soon, I prefer this patch
> > > to linger in the net tree during the 4.12-rc cycle.
> > 
> > I have no problem with queueing this up as a fix for v4.12 as you describe
> > but do you also want it to be considered for -stable?
> 
>       Yes, I'll post patches for stable kernels later today.

Thanks, I have pushed this patch to the ipvs tree.
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [PATCH net] ipvs: SNAT packet replies only for NATed connections, Simon Horman Re: [PATCH net] ipvs: SNAT packet replies only for NATed connections, Julian Anastasov Re: [PATCH net] ipvs: SNAT packet replies only for NATed connections, Simon Horman <=

Previous by Date:	Re: [GIT PULL 0/2] Third Round of IPVS Updates for v4.12, Pablo Neira Ayuso
Next by Date:	[PATCH 3.2.88,3.4.113 -stable 1/3] ipvs: SNAT packet replies only for NATed connections, Julian Anastasov
Previous by Thread:	Re: [PATCH net] ipvs: SNAT packet replies only for NATed connections, Julian Anastasov
Next by Thread:	Re: [GIT PULL 0/2] Third Round of IPVS Updates for v4.12, Pablo Neira Ayuso
Indexes:	[Date] [Thread] [Top] [All Lists]