On Mon, May 01, 2017 at 11:28:59AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 1 May 2017, Simon Horman wrote:
>
> > On Sat, Apr 29, 2017 at 08:33:09PM +0300, Julian Anastasov wrote:
> > > We do not check if packet from real server is for NAT
> > > connection before performing SNAT. This causes problems
> > > for setups that use DR/TUN and allow local clients to
> > > access the real server directly, for example:
> > >
> > > - local client in director creates IPVS-DR/TUN connection
> > > CIP->VIP and the request packets are routed to RIP.
> > > Talks are finished but IPVS connection is not expired yet.
> > >
> > > - second local client creates non-IPVS connection CIP->RIP
> > > with same reply tuple RIP->CIP and when replies are received
> > > on LOCAL_IN we wrongly assign them for the first client
> > > connection because RIP->CIP matches the reply direction.
> > > As result, IPVS SNATs replies for non-IPVS connections.
> > >
> > > The problem is more visible to local UDP clients but in rare
> > > cases it can happen also for TCP or remote clients when the
> > > real server sends the reply traffic via the director.
> > >
> > > So, better to be more precise for the reply traffic.
> > > As replies are not expected for DR/TUN connections, better
> > > to not touch them.
> > >
> > > Reported-by: Nick Moriarty <nick.moriarty@xxxxxxxxxx>
> > > Tested-by: Nick Moriarty <nick.moriarty@xxxxxxxxxx>
> > > Signed-off-by: Julian Anastasov <ja@xxxxxx>
> > > ---
> > >
> > > I know that 4.11 is to be released soon, I prefer this patch
> > > to linger in the net tree during the 4.12-rc cycle.
> >
> > I have no problem with queueing this up as a fix for v4.12 as you describe
> > but do you also want it to be considered for -stable?
>
> Yes, I'll post patches for stable kernels later today.
Thanks, I have pushed this patch to the ipvs tree.
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|