From: Simon Horman <horms@verge.net.au>
To: Julian Anastasov <ja@ssi.bg>
Cc: lvs-devel@vger.kernel.org, Nick Moriarty <nick.moriarty@york.ac.uk>
Subject: Re: [PATCH net] ipvs: SNAT packet replies only for NATed connections
Date: Mon, 1 May 2017 11:48:46 +0200 [thread overview]
Message-ID: <20170501094844.GJ18349@verge.net.au> (raw)
In-Reply-To: <alpine.LFD.2.20.1705011125350.2663@ja.home.ssi.bg>
On Mon, May 01, 2017 at 11:28:59AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 1 May 2017, Simon Horman wrote:
>
> > On Sat, Apr 29, 2017 at 08:33:09PM +0300, Julian Anastasov wrote:
> > > We do not check if packet from real server is for NAT
> > > connection before performing SNAT. This causes problems
> > > for setups that use DR/TUN and allow local clients to
> > > access the real server directly, for example:
> > >
> > > - local client in director creates IPVS-DR/TUN connection
> > > CIP->VIP and the request packets are routed to RIP.
> > > Talks are finished but IPVS connection is not expired yet.
> > >
> > > - second local client creates non-IPVS connection CIP->RIP
> > > with same reply tuple RIP->CIP and when replies are received
> > > on LOCAL_IN we wrongly assign them for the first client
> > > connection because RIP->CIP matches the reply direction.
> > > As result, IPVS SNATs replies for non-IPVS connections.
> > >
> > > The problem is more visible to local UDP clients but in rare
> > > cases it can happen also for TCP or remote clients when the
> > > real server sends the reply traffic via the director.
> > >
> > > So, better to be more precise for the reply traffic.
> > > As replies are not expected for DR/TUN connections, better
> > > to not touch them.
> > >
> > > Reported-by: Nick Moriarty <nick.moriarty@york.ac.uk>
> > > Tested-by: Nick Moriarty <nick.moriarty@york.ac.uk>
> > > Signed-off-by: Julian Anastasov <ja@ssi.bg>
> > > ---
> > >
> > > I know that 4.11 is to be released soon, I prefer this patch
> > > to linger in the net tree during the 4.12-rc cycle.
> >
> > I have no problem with queueing this up as a fix for v4.12 as you describe
> > but do you also want it to be considered for -stable?
>
> Yes, I'll post patches for stable kernels later today.
Thanks, I have pushed this patch to the ipvs tree.
prev parent reply other threads:[~2017-05-01 9:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-29 17:33 [PATCH net] ipvs: SNAT packet replies only for NATed connections Julian Anastasov
2017-05-01 7:55 ` Simon Horman
2017-05-01 8:28 ` Julian Anastasov
2017-05-01 9:48 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170501094844.GJ18349@verge.net.au \
--to=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=lvs-devel@vger.kernel.org \
--cc=nick.moriarty@york.ac.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.