|
On Sat, 1 Dec 2001, Julian Anastasov wrote:
> > it. The LVS then sends out a port unreachable:
> >
> > 14:21:15.564637 > 1.2.3.1 > 1.2.3.198: icmp: a.b.c.d tcp port 64866
> > unreachable [tos 0xc0]
>
> The code that replies the ICMP can be removed but then
> remains one problem: connection reusing. The client can select
> port for direct talks with the RIP but if that port was used
> some seconds before for CIP->VIP talks, it is possible LVS to catch
> these replies as part from the previous connection life.
But a proper TCP/IP stack on a client will not re-use the same port
that quickly, unless it is REALLY loaded with connections right?
And a client won't (can't?) use the same source port to different
destinations (VIP and RIP) right?
So, the problem becomes almost theoretical?
> So, such setup is dangerous. As for the ICMP replies, they
> are only for anti-DoS purposes but may be are going to die soon.
Or make it switachable as #ifdef or /proc sysctl?
> It is not changed there. You can remove it by hand.
So am I right that it is in ip_vs_core.c:
if (!h.th->rst || iph->protocol != IPPROTO_TCP) {
icmp_send(skb, ICMP_DEST_UNREACH,
ICMP_PORT_UNREACH, 0);
kfree_skb(skb);
return NF_STOLEN;
}
And that I just remove icmp_send, but still return NF_STOLEN; ?
And that the code for sending the CIP an ICMP_DEST_UNREACH should stay and
is not related to this, right?
Paul, delving beyond his abilities into the TCP/IP stack.
--
Nisam ja kriv, to je vas"a c'erka uc"inila !
|
