|
Hello,
On Thu, 17 Apr 2008, Jason Stubbs wrote:
> > - do not play with packets accounted for sockets (skb->sk != NULL).
> > There was check you removed. Please, reconsider.
>
> With this check restored, the director can't access the virtual server. I
> haven't found any solid documentation, but skb->sk seems to be the local
> socket that the packet is tied to? Is there some badness that can happen by
> allowing these packets to be LVS'd?
Hm, I didn't know that with your patch director can be client.
The problem was that IPVS didn't touched packets owned by sockets
before, I remember that there are rules when such skbs should be
modified, related to sharing and cloning, may be skbs should be
copied if modified. But I assume now skb_make_writable() handles
it properly.
> > - ability to throttle IPVS traffic with netfilter modules. How
> > we can benefit from such modules, can they protect us, can we avoid
> > IPVS scheduling on overload (such modules should work before IPVS conn
> > scheduling, which should be true if you schedule in POST_ROUTING).
> > Was true for LOCAL_IN scheduling.
>
> Are you referring to ipt_RECENT here? That module tested ok.
Yes, for example, -m limit for SYN packets _BEFORE_
IPVS scheduling to protect IPVS from SYN floods. But this should
be checked only for changes that move IPVS scheduling at PRE_ROUTING.
Regards
--
Julian Anastasov <ja@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
