|
Hello,
On Sat, 1 Dec 2001, Paul Wouters wrote:
> On Sat, 1 Dec 2001, Julian Anastasov wrote:
>
> > > it. The LVS then sends out a port unreachable:
> > >
> > > 14:21:15.564637 > 1.2.3.1 > 1.2.3.198: icmp: a.b.c.d tcp port 64866
> > > unreachable [tos 0xc0]
> >
> > The code that replies the ICMP can be removed but then
> > remains one problem: connection reusing. The client can select
> > port for direct talks with the RIP but if that port was used
> > some seconds before for CIP->VIP talks, it is possible LVS to catch
> > these replies as part from the previous connection life.
>
> But a proper TCP/IP stack on a client will not re-use the same port
> that quickly, unless it is REALLY loaded with connections right?
> And a client won't (can't?) use the same source port to different
> destinations (VIP and RIP) right?
> So, the problem becomes almost theoretical?
>
> > So, such setup is dangerous. As for the ICMP replies, they
> > are only for anti-DoS purposes but may be are going to die soon.
>
> Or make it switachable as #ifdef or /proc sysctl?
>
> > It is not changed there. You can remove it by hand.
>
> So am I right that it is in ip_vs_core.c:
>
> if (!h.th->rst || iph->protocol != IPPROTO_TCP) {
> icmp_send(skb, ICMP_DEST_UNREACH,
> ICMP_PORT_UNREACH, 0);
> kfree_skb(skb);
> return NF_STOLEN;
> }
>
> And that I just remove icmp_send, but still return NF_STOLEN; ?
>
Just comment out the whole block, for example,
#if 0
if (ip_vs_lookup_real_service(iph->protocol,
iph->saddr, h.portp[0])) {
/*
* Notify the real server: there is no existing
* entry if it is not RST packet or not TCP
packet.
*/
if (!h.th->rst || iph->protocol != IPPROTO_TCP) {
icmp_send(skb, ICMP_DEST_UNREACH,
ICMP_PORT_UNREACH, 0);
kfree_skb(skb);
return NF_STOLEN;
}
}
#endif
Regards,
Wensong
|
