Hello,
On Tue, 20 Jan 2015, Alex Gartrell wrote:
> skb->sk can be set in the early_demux path. This can be problematic, as it
> may be a time-wait socket, which will blow up in the ip6_output path when
> we try to pull out the non-existent pinet6 pointer (the type-punning causes
> that pointer to be garbage).
>
> This patch orphans the skb if it's not a local socket, so we no longer have
> to worry about running into the time-wait problem from early demux.
Good idea. But there is a case where for traffic to
local real server we return NF_ACCEPT.
In this case we have to preserve the skb->sk. I guess
skb_orphan should be used as follows. skb->dev is NULL
for LOCAL_OUT and non-NULL for LOCAL_IN/FORWARD but
for FORWARD we do not care for skb->sk. So, we can
check just for skb->dev.
- ip_vs_send_or_cont: Handles ip_vs_null_xmit,
ip_vs_bypass_xmit*, ip_vs_dr_xmit*, ip_vs_icmp_xmit(non-NAT)
/* Not a local client? */
if (skb->dev)
skb_orphan(skb);
It should be added only before NF_HOOK.
I.e. when 'local' is true (local RIP) we should not
drop the socket.
- ip_vs_nat_send_or_cont(NAT): same but no matter the 'local' var
because we can change daddr/dport in packet and to
return NF_ACCEPT. As daddr/dport changes we have to drop
the socket. In the worst case, when RIP:RPORT
matches VIP:VPORT daddr/dport do not change but we
do not have indication, we blindly drop sk. In
such case DR method is recommended instead, it will not
drop the socket when 'local' is true.
if (skb->dev)
skb_orphan(skb);
- ip_vs_tunnel_xmit_prepare (TUN): before nf_reset(),
it is called for remote real server (i.e. no 'local' var there):
if (skb->dev)
skb_orphan(skb);
Regards
--
Julian Anastasov <ja@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|