|
Hello,
As reported from some users, the ip_nat_ftp module causes some
problems with other virtual services. ip_nat_ftp can keep
ip_vs_conn_no_cport_cnt > 0 for the time it expects connections
from unknown client ports. This is fatal for the persistence services
as the normal packets start to hit persistence templates instead of
valid connections. Such packets are correctly forwarded to real servers
but the reply packets do not see connections as they are not created.
As result, the reply packets are not SNAT-ed by the IPVS code.
I tried to fix this problem with the following patch:
Linux 2.6.13:
http://www.ssi.bg/~ja/tmp/ipvs-2.6/ct-2.6.13-1.diff
Linux 2.4.32-pre3:
http://www.ssi.bg/~ja/tmp/ipvs-2.4/ct-2.4.32-pre3-1.diff
These patches do the following:
- introduce IP_VS_CONN_F_TEMPLATE connection flag to mark the
connection as template
- create new connection lookup function just for templates:
ip_vs_ct_in_get
- make sure ip_vs_conn_in_get hits only connections with
IP_VS_CONN_F_NO_CPORT flag set when s_port is 0. By this way
we avoid returning template when looking for cport=0 (ftp)
There is a second patch that properly invalidates the
templates as Agostino di Salle noticed:
Linux 2.6.13:
http://www.ssi.bg/~ja/tmp/ipvs-2.6/invct-2.6.13-1.diff
Linux 2.4.32-pre3:
http://www.ssi.bg/~ja/tmp/ipvs-2.4/invct-2.4.32-pre3-1.diff
I performed simple tests, so please test these patches,
for example, persistence+ip_nat_ftp, the ip_vs_sync code is changed
too. If there is a better solution please speak before including them
in next kernel releases. I'm expecting confirmation from people
with the problem that reply packets were not translated from IPVS.
Regards
--
Julian Anastasov <ja@xxxxxx>
|
