From: KOVACS Krisztian <hidden@balabit.hu>
To: Julian Anastasov <ja@ssi.bg>
Cc: David Miller <davem@davemloft.net>,
kaber@trash.net, horms@verge.net.au, jkrzyszt@tis.icnet.pl,
hidden@sch.bme.hu, netdev@vger.kernel.org
Subject: Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed
Date: Fri, 1 Jun 2007 14:55:30 +0200 [thread overview]
Message-ID: <200706011455.31220@nienna> (raw)
In-Reply-To: <Pine.LNX.4.58.0706010123020.2683@u.domain.uli>
Hi,
On Friday 01 June 2007 01:18, Julian Anastasov wrote:
> What about something like this, it even reduces checks
> in the fast path. You can post new version if the following change
> looks good to you and to other developers. If additional sign line is
> needed here it is:
>
> Signed-off-by: Julian Anastasov <ja@ssi.bg>
>
>[...]
> Or we can go further and to avoid ip_dev_find? For me, this
> second variant is preferred because calling ip_dev_find() is useless
> for FLOWI_FLAG_ANYSRC.
You're right. Although I don't really like duplicating the ip_dev_find()
call, it's still better than the previous patch.
--
Regards,
Krisztian Kovacs
Loosen source address check on IPv4 output
ip_route_output() contains a check to make sure that no flows with
non-local source IP addresses are routed. This obviously makes using
such addresses impossible.
This patch introduces a flowi flag which makes omitting this check
possible.
Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
---
include/net/flow.h | 1 +
net/ipv4/route.c | 20 +++++++++++++-------
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/include/net/flow.h b/include/net/flow.h
index f3cc1f8..1bfc0dc 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -49,6 +49,7 @@ struct flowi {
__u8 proto;
__u8 flags;
#define FLOWI_FLAG_MULTIPATHOLDROUTE 0x01
+#define FLOWI_FLAG_ANYSRC 0x02
union {
struct {
__be16 sport;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 8603cfb..4acd3de 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2394,11 +2394,6 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
ZERONET(oldflp->fl4_src))
goto out;
- /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
- dev_out = ip_dev_find(oldflp->fl4_src);
- if (dev_out == NULL)
- goto out;
-
/* I removed check for oif == dev_out->oif here.
It was wrong for two reasons:
1. ip_dev_find(saddr) can return wrong iface, if saddr is
@@ -2409,6 +2404,11 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
if (oldflp->oif == 0
&& (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF))) {
+ /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
+ dev_out = ip_dev_find(oldflp->fl4_src);
+ if (dev_out == NULL)
+ goto out;
+
/* Special hack: user can direct multicasts
and limited broadcast via necessary interface
without fiddling with IP_MULTICAST_IF or IP_PKTINFO.
@@ -2427,9 +2427,15 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
fl.oif = dev_out->ifindex;
goto make_route;
}
- if (dev_out)
+
+ if (!(oldflp->flags & FLOWI_FLAG_ANYSRC)) {
+ /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
+ dev_out = ip_dev_find(oldflp->fl4_src);
+ if (dev_out == NULL)
+ goto out;
dev_put(dev_out);
- dev_out = NULL;
+ dev_out = NULL;
+ }
}
next prev parent reply other threads:[~2007-06-01 12:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200704271705.l3RH5Brw026873@hera.kernel.org>
2007-05-14 10:21 ` [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed Patrick McHardy
2007-05-14 10:35 ` David Miller
2007-05-14 14:25 ` Janusz Krzysztofik
2007-05-14 14:32 ` Patrick McHardy
2007-05-14 15:49 ` Janusz Krzysztofik
2007-05-14 17:41 ` Patrick McHardy
2007-05-15 5:26 ` Simon Horman
2007-05-15 9:46 ` Janusz Krzysztofik
2007-05-15 16:11 ` Patrick McHardy
2007-05-15 23:41 ` Julian Anastasov
2007-05-17 11:25 ` Janusz Krzysztofik
2007-05-17 16:41 ` Patrick McHardy
2007-05-17 16:40 ` Patrick McHardy
2007-05-17 20:51 ` David Miller
2007-05-18 1:06 ` Simon Horman
2007-05-18 8:40 ` Julian Anastasov
2007-05-18 9:05 ` David Miller
2007-05-30 9:38 ` KOVACS Krisztian
2007-05-31 0:21 ` Julian Anastasov
2007-05-31 12:50 ` KOVACS Krisztian
2007-05-31 23:18 ` Julian Anastasov
2007-06-01 12:55 ` KOVACS Krisztian [this message]
2007-06-20 10:57 ` Balazs Scheidler
2007-06-21 7:56 ` Julian Anastasov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200706011455.31220@nienna \
--to=hidden@balabit.hu \
--cc=davem@davemloft.net \
--cc=hidden@sch.bme.hu \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=jkrzyszt@tis.icnet.pl \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.