5 files changed, 17 insertions, 14 deletions
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index af9acf44e40a..fbe660f95873 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -877,7 +877,7 @@ extern const char * ip_vs_state_name(__u16 proto, int state);
 extern void ip_vs_tcp_conn_listen(struct net *net, struct ip_vs_conn *cp);
 extern int ip_vs_check_template(struct ip_vs_conn *ct);
-extern void ip_vs_random_dropentry(void);
+extern void ip_vs_random_dropentry(struct net *net);
 extern int ip_vs_conn_init(void);
 extern void ip_vs_conn_cleanup(void);
diff --git a/include/net/netns/ip_vs.h b/include/net/netns/ip_vs.h
index c4b1abf258e4..41332619142c 100644
--- a/include/net/netns/ip_vs.h
+++ b/include/net/netns/ip_vs.h
@@ -71,6 +71,7 @@ struct netns_ipvs {
        int                     num_services;    /* no of virtual services */
        /* 1/rate drop and drop-entry variables */
+        struct delayed_work     defense_work;   /* Work handler */
        int                     drop_rate;
        int                     drop_counter;
        atomic_t                dropentry;
@@ -129,6 +130,8 @@ struct netns_ipvs {
        /* multicast interface name */
        char                    master_mcast_ifn[IP_VS_IFNAME_MAXLEN];
        char                    backup_mcast_ifn[IP_VS_IFNAME_MAXLEN];
+        /* net name space ptr */
+        struct net              *net;            /* Needed by timer routines */
 };
 #endif /* IP_VS_H_ */
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 5ba205a4d79c..28bdaf7c02f4 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -1138,7 +1138,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
 }
 /* Called from keventd and must protect itself from softirqs */
-void ip_vs_random_dropentry(void)
+void ip_vs_random_dropentry(struct net *net)
 {
        int idx;
        struct ip_vs_conn *cp;
@@ -1158,7 +1158,8 @@ void ip_vs_random_dropentry(void)
                        if (cp->flags & IP_VS_CONN_F_TEMPLATE)
                                /* connection template */
                                continue;
+                        if (!ip_vs_conn_net_eq(cp, net))
+                                continue;
                        if (cp->protocol == IPPROTO_TCP) {
                                switch(cp->state) {
                                case IP_VS_TCP_S_SYN_RECV:
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index a7c59a722af3..bdda346a4f30 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1884,6 +1884,7 @@ static int __net_init __ip_vs_init(struct net *net)
                pr_err("%s(): no memory.\n", __func__);
                return -ENOMEM;
        }
+        ipvs->net = net;
        /* Counters used for creating unique names */
        ipvs->gen = atomic_read(&ipvs_netns_cnt);
        atomic_inc(&ipvs_netns_cnt);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 183ac18bded5..6a963d44df48 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -217,18 +217,16 @@ static void update_defense_level(struct netns_ipvs *ipvs)
 *      Timer for checking the defense
 */
 #define DEFENSE_TIMER_PERIOD    1*HZ
-static void defense_work_handler(struct work_struct *work);
-static DECLARE_DELAYED_WORK(defense_work, defense_work_handler);
 static void defense_work_handler(struct work_struct *work)
 {
-        struct netns_ipvs *ipvs = net_ipvs(&init_net);
+        struct netns_ipvs *ipvs =
+                container_of(work, struct netns_ipvs, defense_work.work);
        update_defense_level(ipvs);
        if (atomic_read(&ipvs->dropentry))
-                ip_vs_random_dropentry();
+                ip_vs_random_dropentry(ipvs->net);
+        schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
-        schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
 }
 int
@@ -3564,6 +3562,9 @@ int __net_init __ip_vs_control_init(struct net *net)
                goto err_reg;
        ip_vs_new_estimator(net, ipvs->tot_stats);
        ipvs->sysctl_tbl = tbl;
+        /* Schedule defense work */
+        INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
+        schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
        return 0;
 err_reg:
@@ -3588,6 +3589,8 @@ static void __net_exit __ip_vs_control_cleanup(struct net *net)
        proc_net_remove(net, "ip_vs_stats_percpu");
        proc_net_remove(net, "ip_vs_stats");
        proc_net_remove(net, "ip_vs");
+        cancel_delayed_work_sync(&ipvs->defense_work);
+        cancel_work_sync(&ipvs->defense_work.work);
        free_percpu(ipvs->cpustats);
        kfree(ipvs->tot_stats);
 }
@@ -3631,9 +3634,6 @@ int __init ip_vs_control_init(void)
                goto err_net;
        }
-        /* Hook the defense timer */
-        schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
        LeaveFunction(2);
        return 0;
@@ -3648,8 +3648,6 @@ void ip_vs_control_cleanup(void)
 {
        EnterFunction(2);
        ip_vs_trash_cleanup();
-        cancel_delayed_work_sync(&defense_work);
-        cancel_work_sync(&defense_work.work);
        unregister_pernet_subsys(&ipvs_control_ops);
        ip_vs_genl_unregister();
        nf_unregister_sockopt(&ip_vs_sockopts);

diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index af9acf44e40a..fbe660f95873 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h
@@ -877,7 +877,7 @@ extern const char * ip_vs_state_name(__u16 proto, int state);
877		877
878	extern void ip_vs_tcp_conn_listen(struct net net, struct ip_vs_conn cp);	878	extern void ip_vs_tcp_conn_listen(struct net net, struct ip_vs_conn cp);
879	extern int ip_vs_check_template(struct ip_vs_conn *ct);	879	extern int ip_vs_check_template(struct ip_vs_conn *ct);
880	extern void ip_vs_random_dropentry(void);	880	extern void ip_vs_random_dropentry(struct net *net);
881	extern int ip_vs_conn_init(void);	881	extern int ip_vs_conn_init(void);
882	extern void ip_vs_conn_cleanup(void);	882	extern void ip_vs_conn_cleanup(void);
883		883


diff --git a/include/net/netns/ip_vs.h b/include/net/netns/ip_vs.h index c4b1abf258e4..41332619142c 100644 --- a/include/net/netns/ip_vs.h +++ b/include/net/netns/ip_vs.h
@@ -71,6 +71,7 @@ struct netns_ipvs {
71		71
72	int num_services; /* no of virtual services */	72	int num_services; /* no of virtual services */
73	/* 1/rate drop and drop-entry variables */	73	/* 1/rate drop and drop-entry variables */
		74	struct delayed_work defense_work; /* Work handler */
74	int drop_rate;	75	int drop_rate;
75	int drop_counter;	76	int drop_counter;
76	atomic_t dropentry;	77	atomic_t dropentry;
@@ -129,6 +130,8 @@ struct netns_ipvs {
129	/* multicast interface name */	130	/* multicast interface name */
130	char master_mcast_ifn[IP_VS_IFNAME_MAXLEN];	131	char master_mcast_ifn[IP_VS_IFNAME_MAXLEN];
131	char backup_mcast_ifn[IP_VS_IFNAME_MAXLEN];	132	char backup_mcast_ifn[IP_VS_IFNAME_MAXLEN];
		133	/* net name space ptr */
		134	struct net net; / Needed by timer routines */
132	};	135	};
133		136
134	#endif /* IP_VS_H_ */	137	#endif /* IP_VS_H_ */


diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 5ba205a4d79c..28bdaf7c02f4 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -1138,7 +1138,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
1138	}	1138	}
1139		1139
1140	/* Called from keventd and must protect itself from softirqs */	1140	/* Called from keventd and must protect itself from softirqs */
1141	void ip_vs_random_dropentry(void)	1141	void ip_vs_random_dropentry(struct net *net)
1142	{	1142	{
1143	int idx;	1143	int idx;
1144	struct ip_vs_conn *cp;	1144	struct ip_vs_conn *cp;
@@ -1158,7 +1158,8 @@ void ip_vs_random_dropentry(void)
1158	if (cp->flags & IP_VS_CONN_F_TEMPLATE)	1158	if (cp->flags & IP_VS_CONN_F_TEMPLATE)
1159	/* connection template */	1159	/* connection template */
1160	continue;	1160	continue;
1161		1161	if (!ip_vs_conn_net_eq(cp, net))
		1162	continue;
1162	if (cp->protocol == IPPROTO_TCP) {	1163	if (cp->protocol == IPPROTO_TCP) {
1163	switch(cp->state) {	1164	switch(cp->state) {
1164	case IP_VS_TCP_S_SYN_RECV:	1165	case IP_VS_TCP_S_SYN_RECV:


diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index a7c59a722af3..bdda346a4f30 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1884,6 +1884,7 @@ static int __net_init __ip_vs_init(struct net *net)
1884	pr_err("%s(): no memory.\n", __func__);	1884	pr_err("%s(): no memory.\n", __func__);
1885	return -ENOMEM;	1885	return -ENOMEM;
1886	}	1886	}
		1887	ipvs->net = net;
1887	/* Counters used for creating unique names */	1888	/* Counters used for creating unique names */
1888	ipvs->gen = atomic_read(&ipvs_netns_cnt);	1889	ipvs->gen = atomic_read(&ipvs_netns_cnt);
1889	atomic_inc(&ipvs_netns_cnt);	1890	atomic_inc(&ipvs_netns_cnt);


diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 183ac18bded5..6a963d44df48 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -217,18 +217,16 @@ static void update_defense_level(struct netns_ipvs *ipvs)
217	* Timer for checking the defense	217	* Timer for checking the defense
218	*/	218	*/
219	#define DEFENSE_TIMER_PERIOD 1*HZ	219	#define DEFENSE_TIMER_PERIOD 1*HZ
220	static void defense_work_handler(struct work_struct *work);
221	static DECLARE_DELAYED_WORK(defense_work, defense_work_handler);
222		220
223	static void defense_work_handler(struct work_struct *work)	221	static void defense_work_handler(struct work_struct *work)
224	{	222	{
225	struct netns_ipvs *ipvs = net_ipvs(&init_net);	223	struct netns_ipvs *ipvs =
		224	container_of(work, struct netns_ipvs, defense_work.work);
226		225
227	update_defense_level(ipvs);	226	update_defense_level(ipvs);
228	if (atomic_read(&ipvs->dropentry))	227	if (atomic_read(&ipvs->dropentry))
229	ip_vs_random_dropentry();	228	ip_vs_random_dropentry(ipvs->net);
230		229	schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
231	schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
232	}	230	}
233		231
234	int	232	int
@@ -3564,6 +3562,9 @@ int __net_init __ip_vs_control_init(struct net *net)
3564	goto err_reg;	3562	goto err_reg;
3565	ip_vs_new_estimator(net, ipvs->tot_stats);	3563	ip_vs_new_estimator(net, ipvs->tot_stats);
3566	ipvs->sysctl_tbl = tbl;	3564	ipvs->sysctl_tbl = tbl;
		3565	/* Schedule defense work */
		3566	INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
		3567	schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
3567	return 0;	3568	return 0;
3568		3569
3569	err_reg:	3570	err_reg:
@@ -3588,6 +3589,8 @@ static void __net_exit __ip_vs_control_cleanup(struct net *net)
3588	proc_net_remove(net, "ip_vs_stats_percpu");	3589	proc_net_remove(net, "ip_vs_stats_percpu");
3589	proc_net_remove(net, "ip_vs_stats");	3590	proc_net_remove(net, "ip_vs_stats");
3590	proc_net_remove(net, "ip_vs");	3591	proc_net_remove(net, "ip_vs");
		3592	cancel_delayed_work_sync(&ipvs->defense_work);
		3593	cancel_work_sync(&ipvs->defense_work.work);
3591	free_percpu(ipvs->cpustats);	3594	free_percpu(ipvs->cpustats);
3592	kfree(ipvs->tot_stats);	3595	kfree(ipvs->tot_stats);
3593	}	3596	}
@@ -3631,9 +3634,6 @@ int __init ip_vs_control_init(void)
3631	goto err_net;	3634	goto err_net;
3632	}	3635	}
3633		3636
3634	/* Hook the defense timer */
3635	schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
3636
3637	LeaveFunction(2);	3637	LeaveFunction(2);
3638	return 0;	3638	return 0;
3639		3639
@@ -3648,8 +3648,6 @@ void ip_vs_control_cleanup(void)
3648	{	3648	{
3649	EnterFunction(2);	3649	EnterFunction(2);
3650	ip_vs_trash_cleanup();	3650	ip_vs_trash_cleanup();
3651	cancel_delayed_work_sync(&defense_work);
3652	cancel_work_sync(&defense_work.work);
3653	unregister_pernet_subsys(&ipvs_control_ops);	3651	unregister_pernet_subsys(&ipvs_control_ops);
3654	ip_vs_genl_unregister();	3652	ip_vs_genl_unregister();
3655	nf_unregister_sockopt(&ip_vs_sockopts);	3653	nf_unregister_sockopt(&ip_vs_sockopts);