aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorJulian Anastasov <ja@ssi.bg>2005-09-15 00:08:51 -0400
committerDavid S. Miller <davem@davemloft.net>2005-09-15 00:08:51 -0400
commit87375ab47cd0ba04124c6d3fd80db5c368f5dcb6 (patch)
treec95f160e2b033b5f8d2fad58348400bab5f989f2 /include/net
parentf5e229db9cdb27f83594712ca4bb98d9377eb6ed (diff)
[IPVS]: ip_vs_ftp breaks connections using persistence
ip_vs_ftp when loaded can create NAT connections with unknown client port for passive FTP. For such expectations we lookup with cport=0 on incoming packet but it matches the format of the persistence templates causing packets to other persistent virtual servers to be forwarded to real server without creating connection. Later the reply packets are treated as foreign and not SNAT-ed. This patch changes the connection lookup for packets from clients: * introduce IP_VS_CONN_F_TEMPLATE connection flag to mark the connection as template * create new connection lookup function just for templates - ip_vs_ct_in_get * make sure ip_vs_conn_in_get hits only connections with IP_VS_CONN_F_NO_CPORT flag set when s_port is 0. By this way we avoid returning template when looking for cport=0 (ftp) Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/ip_vs.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index e426641c519f..06b4235aa016 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -84,6 +84,7 @@
84#define IP_VS_CONN_F_IN_SEQ 0x0400 /* must do input seq adjust */ 84#define IP_VS_CONN_F_IN_SEQ 0x0400 /* must do input seq adjust */
85#define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */ 85#define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */
86#define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */ 86#define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */
87#define IP_VS_CONN_F_TEMPLATE 0x1000 /* template, not connection */
87 88
88/* Move it to better place one day, for now keep it unique */ 89/* Move it to better place one day, for now keep it unique */
89#define NFC_IPVS_PROPERTY 0x10000 90#define NFC_IPVS_PROPERTY 0x10000
@@ -739,6 +740,8 @@ enum {
739 740
740extern struct ip_vs_conn *ip_vs_conn_in_get 741extern struct ip_vs_conn *ip_vs_conn_in_get
741(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port); 742(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
743extern struct ip_vs_conn *ip_vs_ct_in_get
744(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
742extern struct ip_vs_conn *ip_vs_conn_out_get 745extern struct ip_vs_conn *ip_vs_conn_out_get
743(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port); 746(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
744 747