LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: [PATCH RFC] ipvs: reschedule new connections if previous was on FIN_

To: lvs-devel@xxxxxxxxxxxxxxx
Subject: Re: [PATCH RFC] ipvs: reschedule new connections if previous was on FIN_WAIT or TIME_WAIT
From: Marcelo Ricardo Leitner <mleitner@xxxxxxxxxx>
Date: Mon, 08 Dec 2014 12:29:10 -0200
(I'll repost if the idea is accepted, this one is just for discussion)

On 08-12-2014 12:27, Marcelo Ricardo Leitner wrote:
Signed-off-by: Marcelo Ricardo Leitner <mleitner@xxxxxxxxxx>
---

Notes:
     Hi,

     We have a report that not doing so may cause poor load balacing if
     applications reuse src port. With a patch like this, it would make
     new SYNs on a given connection to drop the old one and start a new
     one.

     One could say that this reuse can be done on purpose and carefully
     as a way to cause poor load balancing to cause a DoS.

     Thing is, I'm unsure if we really should do this, as it may end up
     doing more harm than good.

     WDYT? And if we do additional checks, like at least validating seq
     number, would it be better?

     Thanks,
     Marcelo

  net/netfilter/ipvs/ip_vs_core.c | 15 ++++++++++++---
  1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 
990decba1fe418e36e59a1f081fcf0e47188da29..e81a9ac3c7e4e25fb14953b7faa4ace054f51274
 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1036,6 +1036,14 @@ static inline bool is_new_conn(const struct sk_buff *skb,
        }
  }

+static inline bool is_new_conn_expected(const struct ip_vs_conn *cp)
+{
+       if (cp->protocol != IPPROTO_TCP)
+               return false;
+       return (cp->state == IP_VS_TCP_S_TIME_WAIT) ||
+               (cp->state == IP_VS_TCP_S_FIN_WAIT);
+}
+
  /* Handle response packets: rewrite addresses and send away...
   */
  static unsigned int
@@ -1642,9 +1650,10 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int 
af)
         */
        cp = pp->conn_in_get(af, skb, &iph, 0);

-       if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp && cp->dest &&
-           unlikely(!atomic_read(&cp->dest->weight)) && !iph.fragoffs &&
-           is_new_conn(skb, &iph)) {
+       if (cp && cp->dest && !iph.fragoffs && is_new_conn(skb, &iph) &&
+           ((unlikely(sysctl_expire_nodest_conn(ipvs)) &&
+             unlikely(!atomic_read(&cp->dest->weight))) ||
+            unlikely(is_new_conn_expected(cp)))) {
                ip_vs_conn_expire_now(cp);
                __ip_vs_conn_put(cp);
                cp = NULL;


--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>