lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LFD.2.00.1306122229120.1773@ja.ssi.bg>
Date:	Wed, 12 Jun 2013 22:43:46 +0300 (EEST)
From:	Julian Anastasov <ja@....bg>
To:	Alexander Frolkin <avf@...amar.org.uk>
cc:	lvs-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipvs: sloppy TCP and SCTP


	Hello,

On Wed, 12 Jun 2013, Alexander Frolkin wrote:

> This adds support for sloppy TCP and SCTP mode to IPVS.
> 
> When enabled (sysctls net.ipv4.vs.sloppy_tcp and
> net.ipv4.vs.sloppy_sctp), allows IPVS to create connection state on any
> packet, not just a TCP SYN (or SCTP INIT).
> 
> This allows connections to fail over from one IPVS director to another
> mid-flight.
> 
> Signed-off-by: Alexander Frolkin <avf@...amar.org.uk>

	extra empty line here

> 
> ---

> diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
> index 8646488..fd8f587 100644
> --- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
> +++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c

> @@ -27,13 +28,14 @@ sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
>  	if (sch == NULL)
>  		return 0;
>  	net = skb_net(skb);
> +	ipvs = net_ipvs(net);
>  	rcu_read_lock();
> -	if ((sch->type == SCTP_CID_INIT) &&
> +	if ((sysctl_sloppy_sctp(ipvs) || (sch->type == SCTP_CID_INIT)) &&

	Can you change the above line to:

	if ((sch->type == SCTP_CID_INIT || sysctl_sloppy_sctp(ipvs)) &&

	i.e.

1. No () around sch->type == SCTP_CID_INIT

2. Check for sch->type == SCTP_CID_INIT is usually true,
so lets try it first

> diff --git a/net/netfilter/ipvs/ip_vs_proto_tcp.c b/net/netfilter/ipvs/ip_vs_proto_tcp.c
> index 50a1594..3fd23fa 100644
> --- a/net/netfilter/ipvs/ip_vs_proto_tcp.c
> +++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c

> @@ -46,14 +47,15 @@ tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
>  		return 0;
>  	}
>  	net = skb_net(skb);
> +	ipvs = net_ipvs(net);
>  	/* No !th->ack check to allow scheduling on SYN+ACK for Active FTP */
>  	rcu_read_lock();
> -	if (th->syn &&
> +	if ((sysctl_sloppy_tcp(ipvs) || th->syn) && !th->rst &&

	Same here:

	if ((th->syn || sysctl_sloppy_tcp(ipvs)) && !th->rst &&

	Also, you can check the "IPVS" entry in the
MAINTAINERS file for actual list of addresses to use (M and L)
when submitting patches.

Regards

--
Julian Anastasov <ja@....bg>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ