lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 May 2020 21:35:56 -0400 From: Andrew Sy Kim <kim.andrewsy@...il.com> To: unlisted-recipients:; (no To-header on input) Cc: kim.andrewsy@...il.com, Wensong Zhang <wensong@...ux-vs.org>, Simon Horman <horms@...ge.net.au>, Julian Anastasov <ja@....bg>, Pablo Neira Ayuso <pablo@...filter.org>, Jozsef Kadlecsik <kadlec@...filter.org>, Florian Westphal <fw@...len.de>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org (open list:IPVS), lvs-devel@...r.kernel.org (open list:IPVS), netfilter-devel@...r.kernel.org (open list:NETFILTER), coreteam@...filter.org (open list:NETFILTER), linux-kernel@...r.kernel.org (open list) Subject: [PATCH] netfilter/ipvs: expire no destination UDP connections when expire_nodest_conn=1 When expire_nodest_conn=1 and an IPVS destination is deleted, IPVS doesn't expire connections with the IP_VS_CONN_F_ONE_PACKET flag set (any UDP connection). If there are many UDP packets to a virtual server from a single client and a destination is deleted, many packets are silently dropped whenever an existing connection entry with the same source port exists. This patch ensures IPVS also expires UDP connections when a packet matches an existing connection with no destinations. Signed-off-by: Andrew Sy Kim <kim.andrewsy@...il.com> --- net/netfilter/ipvs/ip_vs_core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index aa6a603a2425..f0535586fe75 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -2116,8 +2116,7 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int else ip_vs_conn_put(cp); - if (sysctl_expire_nodest_conn(ipvs) && - !(flags & IP_VS_CONN_F_ONE_PACKET)) { + if (sysctl_expire_nodest_conn(ipvs)) { /* try to expire the connection immediately */ ip_vs_conn_expire_now(cp); } -- 2.20.1
Powered by blists - more mailing lists