diff options
| author | Grzegorz Lyczba <grzegorz.lyczba@gmail.com> | 2013-05-13 17:56:24 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-05-27 07:00:45 -0400 |
| commit | dc7b3eb900aab02e5cafbca3948d005be13fb4a5 (patch) | |
| tree | 3a5165ef23bea0089c6fe2bf41f069e8d17dc750 /net | |
| parent | 4f36ea6eed2081340c7a7aa98c73187ecfccebff (diff) | |
ipvs: Fix reuse connection if real server is dead
Expire cached connection for new TCP/SCTP connection if real
server is down. Otherwise, IPVS uses the dead server for the
reused connection, instead of a new working one.
Signed-off-by: Grzegorz Lyczba <grzegorz.lyczba@gmail.com>
Acked-by: Hans Schillstrom <hans@schillstrom.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_core.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 085b5880ab0d..05565d2b3a61 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c | |||
| @@ -1001,6 +1001,32 @@ static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len) | |||
| 1001 | return th->rst; | 1001 | return th->rst; |
| 1002 | } | 1002 | } |
| 1003 | 1003 | ||
| 1004 | static inline bool is_new_conn(const struct sk_buff *skb, | ||
| 1005 | struct ip_vs_iphdr *iph) | ||
| 1006 | { | ||
| 1007 | switch (iph->protocol) { | ||
| 1008 | case IPPROTO_TCP: { | ||
| 1009 | struct tcphdr _tcph, *th; | ||
| 1010 | |||
| 1011 | th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph); | ||
| 1012 | if (th == NULL) | ||
| 1013 | return false; | ||
| 1014 | return th->syn; | ||
| 1015 | } | ||
| 1016 | case IPPROTO_SCTP: { | ||
| 1017 | sctp_chunkhdr_t *sch, schunk; | ||
| 1018 | |||
| 1019 | sch = skb_header_pointer(skb, iph->len + sizeof(sctp_sctphdr_t), | ||
| 1020 | sizeof(schunk), &schunk); | ||
| 1021 | if (sch == NULL) | ||
| 1022 | return false; | ||
| 1023 | return sch->type == SCTP_CID_INIT; | ||
| 1024 | } | ||
| 1025 | default: | ||
| 1026 | return false; | ||
| 1027 | } | ||
| 1028 | } | ||
| 1029 | |||
| 1004 | /* Handle response packets: rewrite addresses and send away... | 1030 | /* Handle response packets: rewrite addresses and send away... |
| 1005 | */ | 1031 | */ |
| 1006 | static unsigned int | 1032 | static unsigned int |
| @@ -1612,6 +1638,15 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) | |||
| 1612 | * Check if the packet belongs to an existing connection entry | 1638 | * Check if the packet belongs to an existing connection entry |
| 1613 | */ | 1639 | */ |
| 1614 | cp = pp->conn_in_get(af, skb, &iph, 0); | 1640 | cp = pp->conn_in_get(af, skb, &iph, 0); |
| 1641 | |||
| 1642 | if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp && cp->dest && | ||
| 1643 | unlikely(!atomic_read(&cp->dest->weight)) && !iph.fragoffs && | ||
| 1644 | is_new_conn(skb, &iph)) { | ||
| 1645 | ip_vs_conn_expire_now(cp); | ||
| 1646 | __ip_vs_conn_put(cp); | ||
| 1647 | cp = NULL; | ||
| 1648 | } | ||
| 1649 | |||
| 1615 | if (unlikely(!cp) && !iph.fragoffs) { | 1650 | if (unlikely(!cp) && !iph.fragoffs) { |
| 1616 | /* No (second) fragments need to enter here, as nf_defrag_ipv6 | 1651 | /* No (second) fragments need to enter here, as nf_defrag_ipv6 |
| 1617 | * replayed fragment zero will already have created the cp | 1652 | * replayed fragment zero will already have created the cp |