This patchset changes how templates are dropped under attack.
Patch 1 changes ip_vs_state_name arguments, so that we can
print in followup patch info by using just state.
Patch 2 implements assured flag for connection templates to
indicate that connection progressed after initial packet.
Patch 3 uses the assured state to decide if to drop connection
templates under attack.
The patchset is based on implementation from Michal Koutný but
extended to other protocols. The other difference is that we
use cp->state for template flags because there are no many
free bits in cp->flags that are sent in the sync protocol
messages.
v1->v2:
- first patch in v1 was split to patches 1 and 2
- in patch 2 do not clear unknown bits in the state received by backup server
Julian Anastasov (3):
ipvs: provide just conn to ip_vs_state_name
ipvs: add assured state for conn templates
ipvs: drop conn templates under attack
include/net/ip_vs.h | 18 +++++++++-
net/netfilter/ipvs/ip_vs_conn.c | 67 ++++++++++++++++++++++-------------
net/netfilter/ipvs/ip_vs_proto.c | 19 ++++++++--
net/netfilter/ipvs/ip_vs_proto_sctp.c | 2 ++
net/netfilter/ipvs/ip_vs_proto_tcp.c | 2 ++
net/netfilter/ipvs/ip_vs_proto_udp.c | 2 ++
net/netfilter/ipvs/ip_vs_sync.c | 18 ++++------
7 files changed, 88 insertions(+), 40 deletions(-)
--
2.9.5
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|