Re: [PATCH] ipvs: fix ipv6 icmp forwarding in natted services

To: Hans Schillstrom <hans@xxxxxxxxxxxxxxx>
Subject: Re: [PATCH] ipvs: fix ipv6 icmp forwarding in natted services
Cc: Julian Anastasov <ja@xxxxxx>, Ansis Atteka <aatteka@xxxxxxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, Jesper Dangaard Brouer <brouer@xxxxxxxxxx>, Patrick McHardy <kaber@xxxxxxxxx>
From: Art -kwaak- van Breemen <ard@xxxxxxxxxxxxxxx>
Date: Thu, 20 Feb 2014 19:56:19 +0100

On Thu, Feb 20, 2014 at 02:10:44PM +0100, Art -kwaak- van Breemen wrote:
> On Wed, Feb 19, 2014 at 11:08:43PM +0100, Hans Schillstrom wrote:
> > >   May be above check should be:
> > > 
> > >   if (target < 0 || found)
> > >           break;
> > 
> > It will work for hmark and it looks like it will work for others,
> > with -1 
> > 
> > Maybe Patrick have another opinion...

I ack the working of that change for my specific case: passing
pmtud's correctly:
Feb 20 18:58:59 c43236 kernel: [  721.473388] IPVS: Enter: ip_vs_icmp_xmit_v6, 
net/netfilter/ipvs/ip_vs_xmit.c line 1186
Feb 20 18:58:59 c43236 kernel: [  721.473389] IPVS: Enter: ip_vs_nat_icmp_v6, 
net/netfilter/ipvs/ip_vs_core.c line 738
Feb 20 18:58:59 c43236 kernel: [  721.473390] IPVS: icmp_offset=40,protocol=58
Feb 20 18:58:59 c43236 kernel: [  721.473391] IPVS: ip_vs_nat_icmp_v6() changed 
port 80 to 80
Feb 20 18:58:59 c43236 kernel: [  721.473393] IPVS: Leave: ip_vs_nat_icmp_v6, 
net/netfilter/ipvs/ip_vs_core.c line 786
Feb 20 18:58:59 c43236 kernel: [  721.473396] IPVS: Leave: ip_vs_icmp_xmit_v6, 
net/netfilter/ipvs/ip_vs_xmit.c line 1263

18:58:59.067282 00:23:24:26:b4:5c > 00:23:24:26:b4:34, ethertype IPv6 (0x86dd), 
length 1294: 2001:7b8:2ff:6f::1 > 2a02:310:0:1013::1003: ICMP6, packet too big, 
mtu 1472, length 1240

So the "|| found" sounds sane.
But now I'm going to be an ass by saying that maybe both patches must be
applied because we only get into ip_vs_nat_icmp_v6 by ip_vs_fill_iph_skb in
include/net/ip_vs.h, which determines the protocol and the start of the
protocol header by using -1 as target in ipv6_find_hdr.
Actually, before we reach that nat function we have traversed several 
constructs of:
protocol,offset = ipv6_find_hdr (target = -1 )
if ( protocol != IPPROTO_ICMPV6)
  bail out (return NF_ACCEPT actually) .
(and maybe use offset)

So I think it's clearer for the total code if we follow the exact same 
find a protocol, bail out if protocol wrong.
It should never happen at that point, but there are more things that never
should happen :-).

Anyway: whatever you guys decide, I owe you all beer. I think we are one of the
few companies that assume a working pmtud for ipv6. Most of the top companies
just use an mtu of 1280 because the "hardware" loadbalancer cannot handle it
(yet) or just want to prevent the hassle. Thanks!


Ard van Breemen
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>