[PATCH net] ipvs: register conntrack hooks for ftp

To:	Simon Horman <horms@xxxxxxxxxxxx>
Subject:	[PATCH net] ipvs: register conntrack hooks for ftp
Cc:	lvs-devel@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx
From:	Julian Anastasov <ja@xxxxxx>
Date:	Thu, 24 May 2018 23:40:12 +0300

ip_vs_ftp requires conntrack modules for mangling
of FTP command responses in passive mode.

Make sure the conntrack hooks are registered when
real servers use NAT method in FTP virtual service.
The hooks will be registered while the service is
present.

Fixes: 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed 
by ruleset")
Signed-off-by: Julian Anastasov <ja@xxxxxx>
---
 include/net/ip_vs.h            | 30 ++++++++++++++++++++++++++++++
 net/netfilter/ipvs/ip_vs_ctl.c |  4 ++++
 2 files changed, 34 insertions(+)

diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index eb0bec0..ae72d90 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -643,6 +643,7 @@ struct ip_vs_service {
 
        /* alternate persistence engine */
        struct ip_vs_pe __rcu   *pe;
+       int                     conntrack_afmask;
 
        struct rcu_head         rcu_head;
 };
@@ -1620,6 +1621,35 @@ static inline bool ip_vs_conn_uses_conntrack(struct 
ip_vs_conn *cp,
        return false;
 }
 
+static inline int ip_vs_register_conntrack(struct ip_vs_service *svc)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+       int afmask = (svc->af == AF_INET6) ? 2 : 1;
+       int ret = 0;
+
+       if (!(svc->conntrack_afmask & afmask)) {
+               ret = nf_ct_netns_get(svc->ipvs->net, svc->af);
+               if (ret >= 0)
+                       svc->conntrack_afmask |= afmask;
+       }
+       return ret;
+#else
+       return 0;
+#endif
+}
+
+static inline void ip_vs_unregister_conntrack(struct ip_vs_service *svc)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+       int afmask = (svc->af == AF_INET6) ? 2 : 1;
+
+       if (svc->conntrack_afmask & afmask) {
+               nf_ct_netns_put(svc->ipvs->net, svc->af);
+               svc->conntrack_afmask &= ~afmask;
+       }
+#endif
+}
+
 static inline int
 ip_vs_dest_conn_overhead(struct ip_vs_dest *dest)
 {
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 3ecca06..ee0ab27 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -835,6 +835,9 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct 
ip_vs_dest *dest,
                 *    For now only for NAT!
                 */
                ip_vs_rs_hash(ipvs, dest);
+               /* FTP-NAT requires conntrack for mangling */
+               if (svc->port == FTPPORT)
+                       ip_vs_register_conntrack(svc);
        }
        atomic_set(&dest->conn_flags, conn_flags);
 
@@ -1458,6 +1461,7 @@ static void __ip_vs_del_service(struct ip_vs_service 
*svc, bool cleanup)
  */
 static void ip_vs_unlink_service(struct ip_vs_service *svc, bool cleanup)
 {
+       ip_vs_unregister_conntrack(svc);
        /* Hold svc to avoid double release from dest_trash */
        atomic_inc(&svc->refcnt);
        /*
-- 
2.9.5

--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH net] ipvs: register conntrack hooks for ftp, Julian Anastasov <=

Previous by Date:	[PATCH] libipvs: fix some buffer sizes, Julian Anastasov
Next by Date:	[PATCH net-next 0/2] Add IPv6 support to IPVS FTP-NAT, Julian Anastasov
Previous by Thread:	[PATCH] libipvs: fix some buffer sizes, Julian Anastasov
Next by Thread:	[PATCH net-next 0/2] Add IPv6 support to IPVS FTP-NAT, Julian Anastasov
Indexes:	[Date] [Thread] [Top] [All Lists]