Re: [PATCH net] ipvs: register conntrack hooks for ftp

[Simon Horman <horms@xxxxxxxxxxxx>]

On Thu, May 24, 2018 at 11:40:12PM +0300, Julian Anastasov wrote:
> ip_vs_ftp requires conntrack modules for mangling
> of FTP command responses in passive mode.
> 
> Make sure the conntrack hooks are registered when
> real servers use NAT method in FTP virtual service.
> The hooks will be registered while the service is
> present.
> 
> Fixes: 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when 
> needed by ruleset")
> Signed-off-by: Julian Anastasov <ja@xxxxxx>

Acked-by: Simon Horman <horms+renesas@xxxxxxxxxxxx>

Pablo, please take this into nf if it is not to much trouble.

> ---
>  include/net/ip_vs.h            | 30 ++++++++++++++++++++++++++++++
>  net/netfilter/ipvs/ip_vs_ctl.c |  4 ++++
>  2 files changed, 34 insertions(+)
> 
> diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
> index eb0bec0..ae72d90 100644
> --- a/include/net/ip_vs.h
> +++ b/include/net/ip_vs.h
> @@ -643,6 +643,7 @@ struct ip_vs_service {
>  
>       /* alternate persistence engine */
>       struct ip_vs_pe __rcu   *pe;
> +     int                     conntrack_afmask;
>  
>       struct rcu_head         rcu_head;
>  };
> @@ -1620,6 +1621,35 @@ static inline bool ip_vs_conn_uses_conntrack(struct 
> ip_vs_conn *cp,
>       return false;
>  }
>  
> +static inline int ip_vs_register_conntrack(struct ip_vs_service *svc)
> +{
> +#if IS_ENABLED(CONFIG_NF_CONNTRACK)
> +     int afmask = (svc->af == AF_INET6) ? 2 : 1;
> +     int ret = 0;
> +
> +     if (!(svc->conntrack_afmask & afmask)) {
> +             ret = nf_ct_netns_get(svc->ipvs->net, svc->af);
> +             if (ret >= 0)
> +                     svc->conntrack_afmask |= afmask;
> +     }
> +     return ret;
> +#else
> +     return 0;
> +#endif
> +}
> +
> +static inline void ip_vs_unregister_conntrack(struct ip_vs_service *svc)
> +{
> +#if IS_ENABLED(CONFIG_NF_CONNTRACK)
> +     int afmask = (svc->af == AF_INET6) ? 2 : 1;
> +
> +     if (svc->conntrack_afmask & afmask) {
> +             nf_ct_netns_put(svc->ipvs->net, svc->af);
> +             svc->conntrack_afmask &= ~afmask;
> +     }
> +#endif
> +}
> +
>  static inline int
>  ip_vs_dest_conn_overhead(struct ip_vs_dest *dest)
>  {
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 3ecca06..ee0ab27 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -835,6 +835,9 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct 
> ip_vs_dest *dest,
>                *    For now only for NAT!
>                */
>               ip_vs_rs_hash(ipvs, dest);
> +             /* FTP-NAT requires conntrack for mangling */
> +             if (svc->port == FTPPORT)
> +                     ip_vs_register_conntrack(svc);
>       }
>       atomic_set(&dest->conn_flags, conn_flags);
>  
> @@ -1458,6 +1461,7 @@ static void __ip_vs_del_service(struct ip_vs_service 
> *svc, bool cleanup)
>   */
>  static void ip_vs_unlink_service(struct ip_vs_service *svc, bool cleanup)
>  {
> +     ip_vs_unregister_conntrack(svc);
>       /* Hold svc to avoid double release from dest_trash */
>       atomic_inc(&svc->refcnt);
>       /*
> -- 
> 2.9.5
> 
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html