From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F0C8C433DF for ; Fri, 15 May 2020 18:12:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 31C7520657 for ; Fri, 15 May 2020 18:12:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726298AbgEOSM5 (ORCPT ); Fri, 15 May 2020 14:12:57 -0400 Received: from ja.ssi.bg ([178.16.129.10]:54538 "EHLO ja.ssi.bg" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726191AbgEOSM4 (ORCPT ); Fri, 15 May 2020 14:12:56 -0400 X-Greylist: delayed 318 seconds by postgrey-1.27 at vger.kernel.org; Fri, 15 May 2020 14:12:55 EDT Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by ja.ssi.bg (8.15.2/8.15.2) with ESMTP id 04FI79uk004885; Fri, 15 May 2020 21:07:09 +0300 Date: Fri, 15 May 2020 21:07:09 +0300 (EEST) From: Julian Anastasov To: Andrew Sy Kim cc: Wensong Zhang , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , "open list:IPVS" , "open list:IPVS" , "open list:NETFILTER" , "open list:NETFILTER" , open list Subject: Re: [PATCH] netfilter/ipvs: expire no destination UDP connections when expire_nodest_conn=1 In-Reply-To: <20200515013556.5582-1-kim.andrewsy@gmail.com> Message-ID: References: <20200515013556.5582-1-kim.andrewsy@gmail.com> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Thu, 14 May 2020, Andrew Sy Kim wrote: > When expire_nodest_conn=1 and an IPVS destination is deleted, IPVS > doesn't expire connections with the IP_VS_CONN_F_ONE_PACKET flag set (any > UDP connection). If there are many UDP packets to a virtual server from a > single client and a destination is deleted, many packets are silently > dropped whenever an existing connection entry with the same source port > exists. This patch ensures IPVS also expires UDP connections when a > packet matches an existing connection with no destinations. > > Signed-off-by: Andrew Sy Kim > --- > net/netfilter/ipvs/ip_vs_core.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c > index aa6a603a2425..f0535586fe75 100644 > --- a/net/netfilter/ipvs/ip_vs_core.c > +++ b/net/netfilter/ipvs/ip_vs_core.c > @@ -2116,8 +2116,7 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int > else > ip_vs_conn_put(cp); Above ip_vs_conn_put() should free the ONE_PACKET connections because: - such connections never start timer, they are designed to exist just to schedule the packet, then they are released. - noone takes extra references So, ip_vs_conn_put() simply calls ip_vs_conn_expire() where connections should be released immediately. As result, we can not access cp after this point here. That is why we work just with 'flags' below... Note that not every UDP connection has ONE_PACKET flag, it is present if you configure it for the service. Do you have -o/--ops flag? If not, the UDP connection should expire before the next jiffie. This is the theory, in practice, you may observe some problem... > - if (sysctl_expire_nodest_conn(ipvs) && > - !(flags & IP_VS_CONN_F_ONE_PACKET)) { > + if (sysctl_expire_nodest_conn(ipvs)) { > /* try to expire the connection immediately */ > ip_vs_conn_expire_now(cp); > } You can also look at the discussion which resulted in the last patch for this place: http://archive.linuxvirtualserver.org/html/lvs-devel/2018-07/msg00014.html Regards -- Julian Anastasov From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julian Anastasov Subject: Re: [PATCH] netfilter/ipvs: expire no destination UDP connections when expire_nodest_conn=1 Date: Fri, 15 May 2020 21:07:09 +0300 (EEST) Message-ID: References: <20200515013556.5582-1-kim.andrewsy@gmail.com> Mime-Version: 1.0 Return-path: In-Reply-To: <20200515013556.5582-1-kim.andrewsy@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Andrew Sy Kim Cc: Wensong Zhang , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , "open list:IPVS" , "open list:IPVS" , "open list:NETFILTER" , "open list:NETFILTER" , open list Hello, On Thu, 14 May 2020, Andrew Sy Kim wrote: > When expire_nodest_conn=1 and an IPVS destination is deleted, IPVS > doesn't expire connections with the IP_VS_CONN_F_ONE_PACKET flag set (any > UDP connection). If there are many UDP packets to a virtual server from a > single client and a destination is deleted, many packets are silently > dropped whenever an existing connection entry with the same source port > exists. This patch ensures IPVS also expires UDP connections when a > packet matches an existing connection with no destinations. > > Signed-off-by: Andrew Sy Kim > --- > net/netfilter/ipvs/ip_vs_core.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c > index aa6a603a2425..f0535586fe75 100644 > --- a/net/netfilter/ipvs/ip_vs_core.c > +++ b/net/netfilter/ipvs/ip_vs_core.c > @@ -2116,8 +2116,7 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int > else > ip_vs_conn_put(cp); Above ip_vs_conn_put() should free the ONE_PACKET connections because: - such connections never start timer, they are designed to exist just to schedule the packet, then they are released. - noone takes extra references So, ip_vs_conn_put() simply calls ip_vs_conn_expire() where connections should be released immediately. As result, we can not access cp after this point here. That is why we work just with 'flags' below... Note that not every UDP connection has ONE_PACKET flag, it is present if you configure it for the service. Do you have -o/--ops flag? If not, the UDP connection should expire before the next jiffie. This is the theory, in practice, you may observe some problem... > - if (sysctl_expire_nodest_conn(ipvs) && > - !(flags & IP_VS_CONN_F_ONE_PACKET)) { > + if (sysctl_expire_nodest_conn(ipvs)) { > /* try to expire the connection immediately */ > ip_vs_conn_expire_now(cp); > } You can also look at the discussion which resulted in the last patch for this place: http://archive.linuxvirtualserver.org/html/lvs-devel/2018-07/msg00014.html Regards