[PATCH net-next 0/2] Drop IPVS conn templates under attack

To: Simon Horman <horms@xxxxxxxxxxxx>
Subject: [PATCH net-next 0/2] Drop IPVS conn templates under attack
Cc: lvs-devel@xxxxxxxxxxxxxxx, mkoutny@xxxxxxxx, mkubecek@xxxxxxxx
From: Julian Anastasov <ja@xxxxxx>
Date: Sat, 2 Jun 2018 21:50:00 +0300
This patchset implements assured flag for connection templates
in first patch, so that the second patch can use it to decide
if to drop connection templates under attack.

The patchset is based on implementation from Michal Koutný but
extended to other protocols. The other difference is that we
use cp->state for template flags because there are no many
free bits in cp->flags that are sent in the sync protocol

As it is late in the kernel cycle, you may consider this as RFC,
it should linger in net-next for more time.

Julian Anastasov (2):
  ipvs: add assured state for conn templates
  ipvs: drop conn templates under attack

 include/net/ip_vs.h                   |  7 +++-
 net/netfilter/ipvs/ip_vs_conn.c       | 67 ++++++++++++++++++++++-------------
 net/netfilter/ipvs/ip_vs_proto.c      | 19 ++++++++--
 net/netfilter/ipvs/ip_vs_proto_sctp.c |  7 ++++
 net/netfilter/ipvs/ip_vs_proto_tcp.c  |  7 ++++
 net/netfilter/ipvs/ip_vs_proto_udp.c  |  7 ++++
 net/netfilter/ipvs/ip_vs_sync.c       | 18 +++++-----
 7 files changed, 94 insertions(+), 38 deletions(-)


To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>