Hello,
On Mon, 1 May 2017, Simon Horman wrote:
> On Sat, Apr 29, 2017 at 08:33:09PM +0300, Julian Anastasov wrote:
> > We do not check if packet from real server is for NAT
> > connection before performing SNAT. This causes problems
> > for setups that use DR/TUN and allow local clients to
> > access the real server directly, for example:
> >
> > - local client in director creates IPVS-DR/TUN connection
> > CIP->VIP and the request packets are routed to RIP.
> > Talks are finished but IPVS connection is not expired yet.
> >
> > - second local client creates non-IPVS connection CIP->RIP
> > with same reply tuple RIP->CIP and when replies are received
> > on LOCAL_IN we wrongly assign them for the first client
> > connection because RIP->CIP matches the reply direction.
> > As result, IPVS SNATs replies for non-IPVS connections.
> >
> > The problem is more visible to local UDP clients but in rare
> > cases it can happen also for TCP or remote clients when the
> > real server sends the reply traffic via the director.
> >
> > So, better to be more precise for the reply traffic.
> > As replies are not expected for DR/TUN connections, better
> > to not touch them.
> >
> > Reported-by: Nick Moriarty <nick.moriarty@xxxxxxxxxx>
> > Tested-by: Nick Moriarty <nick.moriarty@xxxxxxxxxx>
> > Signed-off-by: Julian Anastasov <ja@xxxxxx>
> > ---
> >
> > I know that 4.11 is to be released soon, I prefer this patch
> > to linger in the net tree during the 4.12-rc cycle.
>
> I have no problem with queueing this up as a fix for v4.12 as you describe
> but do you also want it to be considered for -stable?
Yes, I'll post patches for stable kernels later today.
Regards
--
Julian Anastasov <ja@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|