diff options
author | Hans Schillstrom <hans.schillstrom@ericsson.com> | 2010-11-19 08:25:10 -0500 |
---|---|---|
committer | Simon Horman <horms@verge.net.au> | 2010-11-24 20:42:59 -0500 |
commit | a5959d53d6048a56103ee0ade1eb6f2c0c733b1d (patch) | |
tree | d416698ee8b3b88bc000b1fa51948ba242667805 /net/netfilter/ipvs/ip_vs_proto_tcp.c | |
parent | 3716522653a79b724b02ee911f1b60c41932f847 (diff) |
IPVS: Handle Scheduling errors.
If ip_vs_conn_fill_param_persist return an error to ip_vs_sched_persist,
this error must propagate as ignored=-1 to ip_vs_schedule().
Errors from ip_vs_conn_new() in ip_vs_sched_persist() and ip_vs_schedule()
should also return *ignored=-1;
This patch just relies on the fact that ignored is 1 before calling
ip_vs_sched_persist().
Sent from Julian:
"The new case when ip_vs_conn_fill_param_persist fails
should set *ignored = -1, so that we can use NF_DROP,
see below. *ignored = -1 should be also used for ip_vs_conn_new
failure in ip_vs_sched_persist() and ip_vs_schedule().
The new negative value should be handled in tcp,udp,sctp"
"To summarize:
- *ignored = 1:
protocol tried to schedule (eg. on SYN), found svc but the
svc/scheduler decides that this packet should be accepted with
NF_ACCEPT because it must not be scheduled.
- *ignored = 0:
scheduler can not find destination, so try bypass or
return ICMP and then NF_DROP (ip_vs_leave).
- *ignored = -1:
scheduler tried to schedule but fatal error occurred, eg.
ip_vs_conn_new failure (ENOMEM) or ip_vs_sip_fill_param
failure such as missing Call-ID, ENOMEM on skb_linearize
or pe_data. In this case we should return NF_DROP without
any attempts to send ICMP with ip_vs_leave."
More or less all ideas and input to this patch is work from
Julian Anastasov
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Diffstat (limited to 'net/netfilter/ipvs/ip_vs_proto_tcp.c')
-rw-r--r-- | net/netfilter/ipvs/ip_vs_proto_tcp.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/net/netfilter/ipvs/ip_vs_proto_tcp.c b/net/netfilter/ipvs/ip_vs_proto_tcp.c index f6c5200e214..1cdab12abfe 100644 --- a/net/netfilter/ipvs/ip_vs_proto_tcp.c +++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c | |||
@@ -64,12 +64,18 @@ tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp, | |||
64 | * incoming connection, and create a connection entry. | 64 | * incoming connection, and create a connection entry. |
65 | */ | 65 | */ |
66 | *cpp = ip_vs_schedule(svc, skb, pp, &ignored); | 66 | *cpp = ip_vs_schedule(svc, skb, pp, &ignored); |
67 | if (!*cpp && !ignored) { | 67 | if (!*cpp && ignored <= 0) { |
68 | *verdict = ip_vs_leave(svc, skb, pp); | 68 | if (!ignored) |
69 | *verdict = ip_vs_leave(svc, skb, pp); | ||
70 | else { | ||
71 | ip_vs_service_put(svc); | ||
72 | *verdict = NF_DROP; | ||
73 | } | ||
69 | return 0; | 74 | return 0; |
70 | } | 75 | } |
71 | ip_vs_service_put(svc); | 76 | ip_vs_service_put(svc); |
72 | } | 77 | } |
78 | /* NF_ACCEPT */ | ||
73 | return 1; | 79 | return 1; |
74 | } | 80 | } |
75 | 81 | ||