From: Julian Anastasov <ja@ssi.bg> To: Andrew Sy Kim <kim.andrewsy@gmail.com> Cc: Wensong Zhang <wensong@linux-vs.org>, Simon Horman <horms@verge.net.au>, Pablo Neira Ayuso <pablo@netfilter.org>, Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, "open list:IPVS" <netdev@vger.kernel.org>, "open list:IPVS" <lvs-devel@vger.kernel.org>, "open list:NETFILTER" <netfilter-devel@vger.kernel.org>, "open list:NETFILTER" <coreteam@netfilter.org>, open list <linux-kernel@vger.kernel.org> Subject: Re: [PATCH] netfilter/ipvs: expire no destination UDP connections when expire_nodest_conn=1 Date: Fri, 15 May 2020 21:07:09 +0300 (EEST) [thread overview] Message-ID: <alpine.LFD.2.21.2005152044380.3860@ja.home.ssi.bg> (raw) In-Reply-To: <20200515013556.5582-1-kim.andrewsy@gmail.com> Hello, On Thu, 14 May 2020, Andrew Sy Kim wrote: > When expire_nodest_conn=1 and an IPVS destination is deleted, IPVS > doesn't expire connections with the IP_VS_CONN_F_ONE_PACKET flag set (any > UDP connection). If there are many UDP packets to a virtual server from a > single client and a destination is deleted, many packets are silently > dropped whenever an existing connection entry with the same source port > exists. This patch ensures IPVS also expires UDP connections when a > packet matches an existing connection with no destinations. > > Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com> > --- > net/netfilter/ipvs/ip_vs_core.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c > index aa6a603a2425..f0535586fe75 100644 > --- a/net/netfilter/ipvs/ip_vs_core.c > +++ b/net/netfilter/ipvs/ip_vs_core.c > @@ -2116,8 +2116,7 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int > else > ip_vs_conn_put(cp); Above ip_vs_conn_put() should free the ONE_PACKET connections because: - such connections never start timer, they are designed to exist just to schedule the packet, then they are released. - noone takes extra references So, ip_vs_conn_put() simply calls ip_vs_conn_expire() where connections should be released immediately. As result, we can not access cp after this point here. That is why we work just with 'flags' below... Note that not every UDP connection has ONE_PACKET flag, it is present if you configure it for the service. Do you have -o/--ops flag? If not, the UDP connection should expire before the next jiffie. This is the theory, in practice, you may observe some problem... > - if (sysctl_expire_nodest_conn(ipvs) && > - !(flags & IP_VS_CONN_F_ONE_PACKET)) { > + if (sysctl_expire_nodest_conn(ipvs)) { > /* try to expire the connection immediately */ > ip_vs_conn_expire_now(cp); > } You can also look at the discussion which resulted in the last patch for this place: http://archive.linuxvirtualserver.org/html/lvs-devel/2018-07/msg00014.html Regards -- Julian Anastasov <ja@ssi.bg>
WARNING: multiple messages have this Message-ID (diff)
From: Julian Anastasov <ja@ssi.bg> To: Andrew Sy Kim <kim.andrewsy@gmail.com> Cc: Wensong Zhang <wensong@linux-vs.org>, Simon Horman <horms@verge.net.au>, Pablo Neira Ayuso <pablo@netfilter.org>, Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, "open list:IPVS" <netdev@vger.kernel.org>, "open list:IPVS" <lvs-devel@vger.kernel.org>, "open list:NETFILTER" <netfilter-devel@vger.kernel.org>, "open list:NETFILTER" <coreteam@netfilter.org>, open list <linux-kernel@vger.kernel.org> Subject: Re: [PATCH] netfilter/ipvs: expire no destination UDP connections when expire_nodest_conn=1 Date: Fri, 15 May 2020 21:07:09 +0300 (EEST) [thread overview] Message-ID: <alpine.LFD.2.21.2005152044380.3860@ja.home.ssi.bg> (raw) In-Reply-To: <20200515013556.5582-1-kim.andrewsy@gmail.com> Hello, On Thu, 14 May 2020, Andrew Sy Kim wrote: > When expire_nodest_conn=1 and an IPVS destination is deleted, IPVS > doesn't expire connections with the IP_VS_CONN_F_ONE_PACKET flag set (any > UDP connection). If there are many UDP packets to a virtual server from a > single client and a destination is deleted, many packets are silently > dropped whenever an existing connection entry with the same source port > exists. This patch ensures IPVS also expires UDP connections when a > packet matches an existing connection with no destinations. > > Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com> > --- > net/netfilter/ipvs/ip_vs_core.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c > index aa6a603a2425..f0535586fe75 100644 > --- a/net/netfilter/ipvs/ip_vs_core.c > +++ b/net/netfilter/ipvs/ip_vs_core.c > @@ -2116,8 +2116,7 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int > else > ip_vs_conn_put(cp); Above ip_vs_conn_put() should free the ONE_PACKET connections because: - such connections never start timer, they are designed to exist just to schedule the packet, then they are released. - noone takes extra references So, ip_vs_conn_put() simply calls ip_vs_conn_expire() where connections should be released immediately. As result, we can not access cp after this point here. That is why we work just with 'flags' below... Note that not every UDP connection has ONE_PACKET flag, it is present if you configure it for the service. Do you have -o/--ops flag? If not, the UDP connection should expire before the next jiffie. This is the theory, in practice, you may observe some problem... > - if (sysctl_expire_nodest_conn(ipvs) && > - !(flags & IP_VS_CONN_F_ONE_PACKET)) { > + if (sysctl_expire_nodest_conn(ipvs)) { > /* try to expire the connection immediately */ > ip_vs_conn_expire_now(cp); > } You can also look at the discussion which resulted in the last patch for this place: http://archive.linuxvirtualserver.org/html/lvs-devel/2018-07/msg00014.html Regards
next prev parent reply other threads:[~2020-05-15 18:12 UTC|newest] Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-05-15 1:35 [PATCH] netfilter/ipvs: expire no destination UDP connections when expire_nodest_conn=1 Andrew Sy Kim 2020-05-15 1:35 ` Andrew Sy Kim 2020-05-15 18:07 ` Julian Anastasov [this message] 2020-05-15 18:07 ` Julian Anastasov 2020-05-17 17:27 ` Andrew Kim 2020-05-17 17:30 ` Andrew Kim 2020-05-17 17:16 ` [PATCH] netfilter/ipvs: immediately expire UDP connections matching unavailable destination if expire_nodest_conn=1 Andrew Sy Kim 2020-05-17 17:16 ` Andrew Sy Kim 2020-05-18 19:10 ` Julian Anastasov 2020-05-18 19:54 ` Andrew Kim 2020-05-19 11:46 ` Marco Angaroni 2020-05-19 11:46 ` Marco Angaroni 2020-05-19 14:18 ` Andrew Kim 2020-05-19 19:46 ` Julian Anastasov 2020-05-24 21:31 ` [PATCH] netfilter/ipvs: immediately expire no destination connections in kthread " Andrew Sy Kim 2020-05-24 21:31 ` Andrew Sy Kim 2020-05-26 21:24 ` Julian Anastasov 2020-05-26 21:47 ` Andrew Kim 2020-05-28 1:41 ` [PATCH] netfilter/ipvs: queue delayed work to expire no destination connections " Andrew Sy Kim 2020-05-28 1:41 ` Andrew Sy Kim 2020-05-28 17:26 ` Julian Anastasov 2020-06-08 17:22 ` Andrew Sy Kim 2020-06-08 17:22 ` Andrew Sy Kim 2020-06-08 17:29 ` Andrew Kim 2020-06-08 17:29 ` Andrew Kim 2020-06-08 17:34 ` Andrew Sy Kim 2020-06-08 17:34 ` Andrew Sy Kim 2020-06-08 20:20 ` Andrew Sy Kim 2020-06-08 20:20 ` Andrew Sy Kim 2020-06-08 20:24 ` Andrew Kim 2020-06-08 20:24 ` Andrew Kim 2020-06-15 19:24 ` Julian Anastasov 2020-07-01 21:24 ` Andrew Sy Kim 2020-07-01 21:24 ` Andrew Sy Kim 2020-07-02 4:33 ` Julian Anastasov 2020-07-08 13:58 ` [PATCH net-next] " Andrew Sy Kim 2020-07-08 13:58 ` Andrew Sy Kim 2020-07-08 16:00 ` Julian Anastasov 2020-07-08 16:06 ` [PATCHv2 net-next] ipvs: " Andrew Sy Kim 2020-07-08 16:06 ` Andrew Sy Kim 2020-07-08 16:12 ` Pablo Neira Ayuso 2020-07-08 16:14 ` Andrew Kim 2020-07-08 16:16 ` [PATCH " Andrew Sy Kim 2020-07-08 16:16 ` Andrew Sy Kim 2020-07-08 17:19 ` Julian Anastasov 2020-07-15 18:54 ` Pablo Neira Ayuso
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=alpine.LFD.2.21.2005152044380.3860@ja.home.ssi.bg \ --to=ja@ssi.bg \ --cc=coreteam@netfilter.org \ --cc=davem@davemloft.net \ --cc=fw@strlen.de \ --cc=horms@verge.net.au \ --cc=kadlec@netfilter.org \ --cc=kim.andrewsy@gmail.com \ --cc=kuba@kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=lvs-devel@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=pablo@netfilter.org \ --cc=wensong@linux-vs.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.