Re: [PATCH] Invalidate expired persistance templates

[Horms <horms@xxxxxxxxxxxx>]

On Fri, Nov 04, 2005 at 12:00:22PM +0100, Roberto Nibali wrote:
> Hi Horms,
> 
> > I notices that if persistance timeout is less than 2 min 
> > (the FIN_WAIT timeout) then it will expire before its
> > controlled connections. This causes ip_vs_conn_expire to
> > set the template's timeout to 2min. Which caues somewhat unexpected
> > results if the persistance timeout, like say 10s.
> 
> Since I've hardcoded FIN_WAIT to 10*HZ I didn't catch this.

No, though you would if you set the persistance timeout to 5s.

> > The patch below is a completely untested first cut at fix,
> > it tries to resolve the problem by invalidating expired
> > templates. So while they will stick around in the table for
> > a bit longer, they won't take effect any more.
> 
> This is on top of the following patch, which I have just sent Marcelo,
> right?

I did this on a clean git tree.

> diff -ur v2.4.32-rc2/linux/net/ipv4/ipvs/ip_vs_core.c
> linux/net/ipv4/ipvs/ip_vs_core.c
> --- v2.4.32-rc2/linux/net/ipv4/ipvs/ip_vs_core.c      2005-11-03
> 01:20:02.000000000 +0200
> +++ linux/net/ipv4/ipvs/ip_vs_core.c  2005-11-03 01:22:36.347895544 +0200
> @@ -1111,11 +1111,10 @@
>               if (sysctl_ip_vs_expire_nodest_conn) {
>                       /* try to expire the connection immediately */
>                       ip_vs_conn_expire_now(cp);
> -             } else {
> -                     /* don't restart its timer, and silently
> -                        drop the packet. */
> -                     __ip_vs_conn_put(cp);
>               }
> +             /* don't restart its timer, and silently
> +                drop the packet. */
> +             __ip_vs_conn_put(cp);
>               return NF_DROP;
>       }
> 
> > It does this the samw way that ip_vs_check_template() does,
> > and that code has been broken out for ease of reading.
> > 
> > The patch is against 2.4 git (2.4.32-rc2), but it looks
> > like the same fix will work for 2.6.
> 
> I'll hit this on Monday. I've told Marcelo to hold on releasing 2.4.32
> until I've verified the patch above from Julian. What is the easiest way
> to reproduce your setup?

Create a virtual service, with a persistance time out of 10s.
Connect and disconnect. Observe that the connection entry goes
into the FIN_WAIT state with a timeout of 120s. Then observe a few
seconds later that when the persistance template expires its timeout
is set to 120 seconds.

> Is this critical for 2.4.32?

I don't think its critical at all, its been there since the dawn of time.

-- 
Horms