netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule
@ 2017-08-20  5:38 Xin Long
  2017-08-20  5:38 ` [PATCH net 1/2] netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet Xin Long
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Xin Long @ 2017-08-20  5:38 UTC (permalink / raw)
  To: netfilter-devel
  Cc: pablo, Alex Gartrell, lvs-devel, netdev, horms, ja, wensong

Patch 1/2 fixes the regression introduced by commit 5e26b1b3abce.
Patch 2/2 makes ipvs not create conn for sctp ABORT packet.

Xin Long (2):
  netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT
    packet
  netfilter: ipvs: do not create conn for ABORT packet in
    sctp_conn_schedule

 net/netfilter/ipvs/ip_vs_proto_sctp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

-- 
2.1.0


^ permalink raw reply	[flat|nested] 7+ messages in thread
* [PATCH net 1/2] netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet
  2017-08-20  5:38 [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule Xin Long
@ 2017-08-20  5:38 ` Xin Long
  2017-08-20  5:38   ` [PATCH net 2/2] netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule Xin Long
  2017-08-20  7:28 ` [PATCH net 0/2] netfilter: ipvs: some fixes " Julian Anastasov
  2017-08-28 16:17 ` Pablo Neira Ayuso
  2 siblings, 1 reply; 7+ messages in thread
From: Xin Long @ 2017-08-20  5:38 UTC (permalink / raw)
  To: netfilter-devel
  Cc: pablo, Alex Gartrell, lvs-devel, netdev, horms, ja, wensong

Commit 5e26b1b3abce ("ipvs: support scheduling inverse and icmp SCTP
packets") changed to check packet type early. It introduced a side
effect: if it's not a INIT packet, ports will be set as  NULL, and
the packet will be dropped later.

It caused that sctp couldn't create connection when ipvs module is
loaded and any scheduler is registered on server.

Li Shuang reproduced it by running the cmds on sctp server:
  # ipvsadm -A -t 1.1.1.1:80 -s rr
  # ipvsadm -D -t 1.1.1.1:80
then the server could't work any more.

This patch is to return 1 when it's not an INIT packet. It means ipvs
will accept it without creating a conn for it, just like what it does
for tcp.

Fixes: 5e26b1b3abce ("ipvs: support scheduling inverse and icmp SCTP packets")
Reported-by: Li Shuang <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/netfilter/ipvs/ip_vs_proto_sctp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index 3ffad4a..e9b18ac 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -24,9 +24,12 @@ sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
 		if (sh) {
 			sch = skb_header_pointer(skb, iph->len + sizeof(_sctph),
 						 sizeof(_schunkh), &_schunkh);
-			if (sch && (sch->type == SCTP_CID_INIT ||
-				    sysctl_sloppy_sctp(ipvs)))
+			if (sch) {
+				if (!(sysctl_sloppy_sctp(ipvs) ||
+				      sch->type == SCTP_CID_INIT))
+					return 1;
 				ports = &sh->source;
+			}
 		}
 	} else {
 		ports = skb_header_pointer(
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* [PATCH net 2/2] netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule
  2017-08-20  5:38 ` [PATCH net 1/2] netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet Xin Long
@ 2017-08-20  5:38   ` Xin Long
  0 siblings, 0 replies; 7+ messages in thread
From: Xin Long @ 2017-08-20  5:38 UTC (permalink / raw)
  To: netfilter-devel
  Cc: pablo, Alex Gartrell, lvs-devel, netdev, horms, ja, wensong

There's no reason for ipvs to create a conn for an ABORT packet
even if sysctl_sloppy_sctp is set.

This patch is to accept it without creating a conn, just as ipvs
does for tcp's RST packet.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/netfilter/ipvs/ip_vs_proto_sctp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index e9b18ac..d86773a 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -25,7 +25,8 @@ sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
 			sch = skb_header_pointer(skb, iph->len + sizeof(_sctph),
 						 sizeof(_schunkh), &_schunkh);
 			if (sch) {
-				if (!(sysctl_sloppy_sctp(ipvs) ||
+				if (sch->type == SCTP_CID_ABORT ||
+				    !(sysctl_sloppy_sctp(ipvs) ||
 				      sch->type == SCTP_CID_INIT))
 					return 1;
 				ports = &sh->source;
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule
  2017-08-20  5:38 [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule Xin Long
  2017-08-20  5:38 ` [PATCH net 1/2] netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet Xin Long
@ 2017-08-20  7:28 ` Julian Anastasov
  2017-08-28 16:17 ` Pablo Neira Ayuso
  2 siblings, 0 replies; 7+ messages in thread
From: Julian Anastasov @ 2017-08-20  7:28 UTC (permalink / raw)
  To: Xin Long
  Cc: netfilter-devel, pablo, Alex Gartrell, lvs-devel, netdev, horms, wensong


	Hello,

On Sun, 20 Aug 2017, Xin Long wrote:

> Patch 1/2 fixes the regression introduced by commit 5e26b1b3abce.
> Patch 2/2 makes ipvs not create conn for sctp ABORT packet.
> 
> Xin Long (2):
>   netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT
>     packet
>   netfilter: ipvs: do not create conn for ABORT packet in
>     sctp_conn_schedule
> 
>  net/netfilter/ipvs/ip_vs_proto_sctp.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

	Patchset looks ok to me,

Acked-by: Julian Anastasov <ja@ssi.bg>


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule
  2017-08-20  5:38 [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule Xin Long
  2017-08-20  5:38 ` [PATCH net 1/2] netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet Xin Long
  2017-08-20  7:28 ` [PATCH net 0/2] netfilter: ipvs: some fixes " Julian Anastasov
@ 2017-08-28 16:17 ` Pablo Neira Ayuso
  2017-08-31 11:59   ` Simon Horman
  2 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-08-28 16:17 UTC (permalink / raw)
  To: Xin Long
  Cc: netfilter-devel, Alex Gartrell, lvs-devel, netdev, horms, ja, wensong

On Sun, Aug 20, 2017 at 01:38:06PM +0800, Xin Long wrote:
> Patch 1/2 fixes the regression introduced by commit 5e26b1b3abce.
> Patch 2/2 makes ipvs not create conn for sctp ABORT packet.

Will wait for Julian and Simon to tell me what I should do with this.

Thanks!

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule
  2017-08-28 16:17 ` Pablo Neira Ayuso
@ 2017-08-31 11:59   ` Simon Horman
  2017-09-08 11:40     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 7+ messages in thread
From: Simon Horman @ 2017-08-31 11:59 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: Xin Long, netfilter-devel, Alex Gartrell, lvs-devel, netdev, ja, wensong

On Mon, Aug 28, 2017 at 06:17:32PM +0200, Pablo Neira Ayuso wrote:
> On Sun, Aug 20, 2017 at 01:38:06PM +0800, Xin Long wrote:
> > Patch 1/2 fixes the regression introduced by commit 5e26b1b3abce.
> > Patch 2/2 makes ipvs not create conn for sctp ABORT packet.
> 
> Will wait for Julian and Simon to tell me what I should do with this.

Hi Pablo,

could you take these directly with Julian's Ack and the following?

Signed-off-by: Simon Horman <horms@verge.net.au>


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule
  2017-08-31 11:59   ` Simon Horman
@ 2017-09-08 11:40     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-09-08 11:40 UTC (permalink / raw)
  To: Simon Horman
  Cc: Xin Long, netfilter-devel, Alex Gartrell, lvs-devel, netdev, ja, wensong

On Thu, Aug 31, 2017 at 01:59:08PM +0200, Simon Horman wrote:
> On Mon, Aug 28, 2017 at 06:17:32PM +0200, Pablo Neira Ayuso wrote:
> > On Sun, Aug 20, 2017 at 01:38:06PM +0800, Xin Long wrote:
> > > Patch 1/2 fixes the regression introduced by commit 5e26b1b3abce.
> > > Patch 2/2 makes ipvs not create conn for sctp ABORT packet.
> > 
> > Will wait for Julian and Simon to tell me what I should do with this.
> 
> Hi Pablo,
> 
> could you take these directly with Julian's Ack and the following?
> 
> Signed-off-by: Simon Horman <horms@verge.net.au>

Series applied, thanks!

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-09-08 11:40 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-20  5:38 [PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule Xin Long
2017-08-20  5:38 ` [PATCH net 1/2] netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet Xin Long
2017-08-20  5:38   ` [PATCH net 2/2] netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule Xin Long
2017-08-20  7:28 ` [PATCH net 0/2] netfilter: ipvs: some fixes " Julian Anastasov
2017-08-28 16:17 ` Pablo Neira Ayuso
2017-08-31 11:59   ` Simon Horman
2017-09-08 11:40     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).