From: Simon Horman <horms@verge.net.au>
To: Julian Anastasov <ja@ssi.bg>
Cc: lvs-devel@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org
Subject: Re: [RFC] IPVS: secure_tcp does provide alternate state timeouts
Date: Thu, 29 Sep 2011 18:01:56 +0900 [thread overview]
Message-ID: <20110929090152.GA14203@verge.net.au> (raw)
In-Reply-To: <alpine.LFD.2.00.1109291119420.1696@ja.ssi.bg>
On Thu, Sep 29, 2011 at 11:47:10AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Thu, 29 Sep 2011, Simon Horman wrote:
>
> > * Also reword the test to make it read more easily (to me)
> >
> > Signed-off-by: Simon Horman <horms@verge.net.au>
> >
> > ---
> >
> > Julian, I don't see that IPVS currently implements alternate
> > timeouts for secure_tcp. Am I missing something?
>
> Yes, only states are changed. What is missing is a
> libipvs support to modify per-protocol timeouts because they
> are not exported to /proc anymore. As the states have name,
> may be we can implement timeout to be set as follows:
>
> ipvsadm --set-state-timeout -p TCP SYN 10
>
> Using 2 timeout tables just for secure_tcp is
> complicated and with the above control it is not needed.
Yes, I agree there is room for improvement.
I guess the best way forward is to use netlink
to allow per-state per-protocol timeout adjustment.
In the mean time, I'll queue this patch up as I think
its good that the documentation reflects the implementation.
>
> > ---
> > Documentation/networking/ipvs-sysctl.txt | 10 ++++------
> > 1 files changed, 4 insertions(+), 6 deletions(-)
> >
> > diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt
> > index 1dcdd49..13610e3 100644
> > --- a/Documentation/networking/ipvs-sysctl.txt
> > +++ b/Documentation/networking/ipvs-sysctl.txt
> > @@ -140,13 +140,11 @@ nat_icmp_send - BOOLEAN
> > secure_tcp - INTEGER
> > 0 - disabled (default)
> >
> > - The secure_tcp defense is to use a more complicated state
> > - transition table and some possible short timeouts of each
> > - state. In the VS/NAT, it delays the entering the ESTABLISHED
> > - until the real server starts to send data and ACK packet
> > - (after 3-way handshake).
> > + The secure_tcp defense is to use a more complicated TCP state
> > + transition table. For VS/NAT, it also delays entering the
> > + TCP ESTABLISHED state until the three way handshake is completed.
> >
> > - The value definition is the same as that of drop_entry or
> > + The value definition is the same as that of drop_entry and
> > drop_packet.
> >
> > sync_threshold - INTEGER
> > --
> > 1.7.5.4
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
prev parent reply other threads:[~2011-09-29 9:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-29 7:25 [RFC] IPVS: secure_tcp does provide alternate state timeouts Simon Horman
2011-09-29 8:47 ` Julian Anastasov
2011-09-29 9:01 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110929090152.GA14203@verge.net.au \
--to=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=lvs-devel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.