[Patch resend nf] ipvs: fix AF assignment in ip_vs_conn_new()

[Patch resend nf] ipvs: fix AF assignment in ip_vs_conn_new()

[Michal Kubecek]

If a fwmark is passed to ip_vs_conn_new(), it is passed in
vaddr, not daddr. Therefore we should set AF to AF_UNSPEC in
vaddr assignment (like we do in ip_vs_ct_in_get()).

Signed-off-by: Bogdano Arendartchuk <barendartchuk@suse.com>
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
(first time it didn't reach all recipients due to a malformed header)
---
 net/netfilter/ipvs/ip_vs_conn.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 59a1a85..282b39b 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -871,11 +871,11 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
 	cp->protocol	   = p->protocol;
 	ip_vs_addr_set(p->af, &cp->caddr, p->caddr);
 	cp->cport	   = p->cport;
-	ip_vs_addr_set(p->af, &cp->vaddr, p->vaddr);
-	cp->vport	   = p->vport;
-	/* proto should only be IPPROTO_IP if d_addr is a fwmark */
+	/* proto should only be IPPROTO_IP if p->vaddr is a fwmark */
 	ip_vs_addr_set(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
-		       &cp->daddr, daddr);
+		       &cp->vaddr, vaddr);
+	cp->vport	   = p->vport;
+	ip_vs_addr_set(p->af, &cp->daddr, p->daddr);
 	cp->dport          = dport;
 	cp->flags	   = flags;
 	cp->fwmark         = fwmark;
-- 
1.8.1.4

Re: [Patch resend nf] ipvs: fix AF assignment in ip_vs_conn_new()

[Julian Anastasov]

	Hello,

On Wed, 29 Jan 2014, Michal Kubecek wrote:

> If a fwmark is passed to ip_vs_conn_new(), it is passed in
> vaddr, not daddr. Therefore we should set AF to AF_UNSPEC in
> vaddr assignment (like we do in ip_vs_ct_in_get()).
> 
> Signed-off-by: Bogdano Arendartchuk <barendartchuk@suse.com>
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> ---
> (first time it didn't reach all recipients due to a malformed header)
> ---
>  net/netfilter/ipvs/ip_vs_conn.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
> index 59a1a85..282b39b 100644
> --- a/net/netfilter/ipvs/ip_vs_conn.c
> +++ b/net/netfilter/ipvs/ip_vs_conn.c
> @@ -871,11 +871,11 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
>  	cp->protocol	   = p->protocol;
>  	ip_vs_addr_set(p->af, &cp->caddr, p->caddr);
>  	cp->cport	   = p->cport;
> -	ip_vs_addr_set(p->af, &cp->vaddr, p->vaddr);
> -	cp->vport	   = p->vport;
> -	/* proto should only be IPPROTO_IP if d_addr is a fwmark */
> +	/* proto should only be IPPROTO_IP if p->vaddr is a fwmark */
>  	ip_vs_addr_set(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
> -		       &cp->daddr, daddr);
> +		       &cp->vaddr, vaddr);

	Patch does not compile due to vaddr and p->daddr
usage but you are in the right direction. Such change should
fix a problem where connection templates don't get full
IPv6 address for the real server, only the first 4 bytes
are copied and as result it works only for IPv4.

> +	cp->vport	   = p->vport;
> +	ip_vs_addr_set(p->af, &cp->daddr, p->daddr);
>  	cp->dport          = dport;
>  	cp->flags	   = flags;
>  	cp->fwmark         = fwmark;
> -- 
> 1.8.1.4

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: [Patch resend nf] ipvs: fix AF assignment in ip_vs_conn_new()

[Michal Kubecek]

On Wed, Jan 29, 2014 at 11:24:17PM +0200, Julian Anastasov wrote:
> > diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
> > index 59a1a85..282b39b 100644
> > --- a/net/netfilter/ipvs/ip_vs_conn.c
> > +++ b/net/netfilter/ipvs/ip_vs_conn.c
> > @@ -871,11 +871,11 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
> >  	cp->protocol	   = p->protocol;
> >  	ip_vs_addr_set(p->af, &cp->caddr, p->caddr);
> >  	cp->cport	   = p->cport;
> > -	ip_vs_addr_set(p->af, &cp->vaddr, p->vaddr);
> > -	cp->vport	   = p->vport;
> > -	/* proto should only be IPPROTO_IP if d_addr is a fwmark */
> > +	/* proto should only be IPPROTO_IP if p->vaddr is a fwmark */
> >  	ip_vs_addr_set(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
> > -		       &cp->daddr, daddr);
> > +		       &cp->vaddr, vaddr);
> 
> 	Patch does not compile due to vaddr and p->daddr
> usage but you are in the right direction. Such change should
> fix a problem where connection templates don't get full
> IPv6 address for the real server, only the first 4 bytes
> are copied and as result it works only for IPv4.

Sorry for that, looks like I ran the test build after adapting to
current code with a config which didn't actually compile this file.
I'll send a v2 after testing a fixed version and I'll also extend the
commit message to describe the outcome.

                                                      Michal Kubecek

[PATCH nf v2] ipvs: fix AF assignment in ip_vs_conn_new()

[Michal Kubecek]

If a fwmark is passed to ip_vs_conn_new(), it is passed in
vaddr, not daddr. Therefore we should set AF to AF_UNSPEC in
vaddr assignment (like we do in ip_vs_ct_in_get()), otherwise we
may copy only first 4 bytes of an IPv6 address into cp->daddr.

v2: fix messed up {d,v}addr and p->{d,v}addr, add info about the
outcome (thanks to Julian Anastasov)

Signed-off-by: Bogdano Arendartchuk <barendartchuk@suse.com>
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
 net/netfilter/ipvs/ip_vs_conn.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 59a1a85..a8eb0a8 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -871,11 +871,11 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
 	cp->protocol	   = p->protocol;
 	ip_vs_addr_set(p->af, &cp->caddr, p->caddr);
 	cp->cport	   = p->cport;
-	ip_vs_addr_set(p->af, &cp->vaddr, p->vaddr);
-	cp->vport	   = p->vport;
-	/* proto should only be IPPROTO_IP if d_addr is a fwmark */
+	/* proto should only be IPPROTO_IP if p->vaddr is a fwmark */
 	ip_vs_addr_set(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
-		       &cp->daddr, daddr);
+		       &cp->vaddr, p->vaddr);
+	cp->vport	   = p->vport;
+	ip_vs_addr_set(p->af, &cp->daddr, daddr);
 	cp->dport          = dport;
 	cp->flags	   = flags;
 	cp->fwmark         = fwmark;
-- 
1.8.1.4

Re: [PATCH nf v2] ipvs: fix AF assignment in ip_vs_conn_new()

[Julian Anastasov]

	Hello,

On Thu, 30 Jan 2014, Michal Kubecek wrote:

> If a fwmark is passed to ip_vs_conn_new(), it is passed in
> vaddr, not daddr. Therefore we should set AF to AF_UNSPEC in
> vaddr assignment (like we do in ip_vs_ct_in_get()), otherwise we
> may copy only first 4 bytes of an IPv6 address into cp->daddr.
> 
> v2: fix messed up {d,v}addr and p->{d,v}addr, add info about the
> outcome (thanks to Julian Anastasov)
> 
> Signed-off-by: Bogdano Arendartchuk <barendartchuk@suse.com>
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>

Acked-by: Julian Anastasov <ja@ssi.bg>

	Looks like problem comes from
commit be8be9eccbf2d908a7e56b3f7a71105cd88da06b
"ipvs: Fix IPv4 FWMARK virtual services" (2.6.30).

> ---
>  net/netfilter/ipvs/ip_vs_conn.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
> index 59a1a85..a8eb0a8 100644
> --- a/net/netfilter/ipvs/ip_vs_conn.c
> +++ b/net/netfilter/ipvs/ip_vs_conn.c
> @@ -871,11 +871,11 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
>  	cp->protocol	   = p->protocol;
>  	ip_vs_addr_set(p->af, &cp->caddr, p->caddr);
>  	cp->cport	   = p->cport;
> -	ip_vs_addr_set(p->af, &cp->vaddr, p->vaddr);
> -	cp->vport	   = p->vport;
> -	/* proto should only be IPPROTO_IP if d_addr is a fwmark */
> +	/* proto should only be IPPROTO_IP if p->vaddr is a fwmark */
>  	ip_vs_addr_set(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
> -		       &cp->daddr, daddr);
> +		       &cp->vaddr, p->vaddr);
> +	cp->vport	   = p->vport;
> +	ip_vs_addr_set(p->af, &cp->daddr, daddr);
>  	cp->dport          = dport;
>  	cp->flags	   = flags;
>  	cp->fwmark         = fwmark;
> -- 
> 1.8.1.4

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: [PATCH nf v2] ipvs: fix AF assignment in ip_vs_conn_new()

[Simon Horman]

On Thu, Jan 30, 2014 at 10:29:22AM +0200, Julian Anastasov wrote:
> 
> 	Hello,
> 
> On Thu, 30 Jan 2014, Michal Kubecek wrote:
> 
> > If a fwmark is passed to ip_vs_conn_new(), it is passed in
> > vaddr, not daddr. Therefore we should set AF to AF_UNSPEC in
> > vaddr assignment (like we do in ip_vs_ct_in_get()), otherwise we
> > may copy only first 4 bytes of an IPv6 address into cp->daddr.
> > 
> > v2: fix messed up {d,v}addr and p->{d,v}addr, add info about the
> > outcome (thanks to Julian Anastasov)
> > 
> > Signed-off-by: Bogdano Arendartchuk <barendartchuk@suse.com>
> > Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> 
> Acked-by: Julian Anastasov <ja@ssi.bg>
> 
> 	Looks like problem comes from
> commit be8be9eccbf2d908a7e56b3f7a71105cd88da06b
> "ipvs: Fix IPv4 FWMARK virtual services" (2.6.30).

Thanks, I'll queue this up.

> 
> > ---
> >  net/netfilter/ipvs/ip_vs_conn.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
> > index 59a1a85..a8eb0a8 100644
> > --- a/net/netfilter/ipvs/ip_vs_conn.c
> > +++ b/net/netfilter/ipvs/ip_vs_conn.c
> > @@ -871,11 +871,11 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
> >  	cp->protocol	   = p->protocol;
> >  	ip_vs_addr_set(p->af, &cp->caddr, p->caddr);
> >  	cp->cport	   = p->cport;
> > -	ip_vs_addr_set(p->af, &cp->vaddr, p->vaddr);
> > -	cp->vport	   = p->vport;
> > -	/* proto should only be IPPROTO_IP if d_addr is a fwmark */
> > +	/* proto should only be IPPROTO_IP if p->vaddr is a fwmark */
> >  	ip_vs_addr_set(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
> > -		       &cp->daddr, daddr);
> > +		       &cp->vaddr, p->vaddr);
> > +	cp->vport	   = p->vport;
> > +	ip_vs_addr_set(p->af, &cp->daddr, daddr);
> >  	cp->dport          = dport;
> >  	cp->flags	   = flags;
> >  	cp->fwmark         = fwmark;
> > -- 
> > 1.8.1.4
> 
> Regards
> 
> --
> Julian Anastasov <ja@ssi.bg>
>