From: Tinggong Wang <wangtinggong@gmail.com>
To: Hans Schillstrom <hans.schillstrom@ericsson.com>
Cc: Simon Horman <horms@verge.net.au>,
Wensong Zhang <wensong@linux-vs.org>,
"lvs-devel@vger.kernel.org" <lvs-devel@vger.kernel.org>,
Hans Schillstrom <hans@schillstrom.com>,
Julian Anastasov <ja@ssi.bg>
Subject: Re: [PATCH 2/3] ipvs: check data validation before local_bh_disable
Date: Mon, 13 Dec 2010 18:49:11 +0800 [thread overview]
Message-ID: <20101213104911.GB6558@wangtg> (raw)
In-Reply-To: <1292230381.4983.31.camel@seasc0214>
on Mon, 13 Dec 2010 09:53:01AM +0100 Hans Schillstrom (hans.schillstrom@ericsson.com) wrote:
> On Mon, 2010-12-13 at 07:29 +0100, Simon Horman wrote:
> > On Mon, Dec 13, 2010 at 11:44:38AM +0800, Tinggong Wang wrote:
> > > on Mon, 13 Dec 2010 06:48:06AM +0900 Simon Horman (horms@verge.net.au) wrote:
> > > > [ CCed Hans Schillstrom and Julian Anastasov ]
> > > >
> > > > On Sun, Dec 12, 2010 at 07:42:29PM +0800, Tinggong Wang wrote:
> > > > > Signed-off-by: Tinggong Wang <wangtinggong@gmail.com>
> > > > > ---
> > > > > net/netfilter/ipvs/ip_vs_sync.c | 13 ++++++++-----
> > > > > 1 files changed, 8 insertions(+), 5 deletions(-)
> > > > >
> > > > > diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
> > > > > index 7632a17..2b6b0cb 100644
> > > > > --- a/net/netfilter/ipvs/ip_vs_sync.c
> > > > > +++ b/net/netfilter/ipvs/ip_vs_sync.c
> > > > > @@ -315,11 +315,6 @@ static void ip_vs_process_message(const char *buffer, const size_t buflen)
> > > > > char *p;
> > > > > int i;
> > > > >
> > > > > - if (buflen < SYNC_MESG_HEADER_LEN) {
> > > > > - IP_VS_ERR_RL("sync message header too short\n");
> > > > > - return;
> > > > > - }
> > > > > -
> > > > > /* Convert size back to host byte order */
> > > > > m->size = ntohs(m->size);
> > > > >
> > > > > @@ -823,6 +818,14 @@ static int sync_thread_backup(void *data)
> > > > > break;
> > > > > }
> > > > >
> > > > > + /* throw invalid data before local_bh_disable,
> > > > > + * so performance won't be downgraded by it
> > > > > + */
> > > > > + if (len < SYNC_MESG_HEADER_LEN) {
> > > > > + IP_VS_ERR_RL("sync message header too short\n");
> > > > > + continue;
> > > > > + }
> > > > > +
> > > > > /* disable bottom half, because it accesses the data
> > > > > shared by softirq while getting/creating conns */
> > > > > local_bh_disable();
> > > > > --
> > > > > 1.7.2.3
> > > > >
> > > >
> > > > Could you explain the motivation for this change?
> > >
> > > in my opinion, before local_bh_disable, should ensure packets are look
> > > like more resonable.
> > >
> > > local_bh_disable will disable all bottom-half processing on local cpu,
> > > if the multicast group flood of packets containing bad sync message,
> > > local cpu will be busy doing local_bh_disable and local_bh_enable.
> > >
> > > if the backup pc has only one cpu, all other tasks will be pending until
> > > the flood finished.
> >
> > Ok, that does sound reasonable to some extent. But realistically
> > this should only occur if bogus packets are being sent. And in
> > that case it would be possible for bogus packets to be more carefully
> > crafted such that we need to enter ip_vs_process_message() anyway.
> > So I'm not sure if there really is a gain here.
> >
> I do agree, first of all It's a multicast and they are never opened in
> firewall so who should flood us?
> (If IPVS addr and port is open close it)
> I don't think the extra rows actually adds anything as you say.
>
Yes, it has small possibility to occur. and this patch only make sense
when the bogus packets length less than SYNC_MESG_HEADER_LEN.
but if it occurs, for example, someone write a program, join the
multicast group cursorily, and floods bogus packets accidentally.
backup's performace will be downgraded.
is this scenario should be included? if so, i'll try to improve this
patch.
Thanks!
next prev parent reply other threads:[~2010-12-13 10:49 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-12 11:41 [PATCH 1/3] ipvs: use SYNC_MESG_HEADER_LEN instead of explicit header length Tinggong Wang
2010-12-12 11:42 ` [PATCH 2/3] ipvs: check data validation before local_bh_disable Tinggong Wang
2010-12-12 11:43 ` [PATCH 3/3] ipvs: fix get_curr_sync_buff Tinggong Wang
2010-12-12 21:49 ` Simon Horman
2010-12-13 9:21 ` Hans Schillstrom
2010-12-13 23:32 ` Julian Anastasov
2010-12-14 3:00 ` Tinggong Wang
2010-12-14 8:28 ` Julian Anastasov
2010-12-15 8:28 ` Simon Horman
2010-12-12 21:48 ` [PATCH 2/3] ipvs: check data validation before local_bh_disable Simon Horman
2010-12-13 3:44 ` Tinggong Wang
2010-12-13 6:29 ` Simon Horman
2010-12-13 8:53 ` Hans Schillstrom
2010-12-13 10:49 ` Tinggong Wang [this message]
2010-12-13 18:06 ` Tinggong Wang
2010-12-12 21:46 ` [PATCH 1/3] ipvs: use SYNC_MESG_HEADER_LEN instead of explicit header length Simon Horman
2010-12-13 8:16 ` Hans Schillstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101213104911.GB6558@wangtg \
--to=wangtinggong@gmail.com \
--cc=hans.schillstrom@ericsson.com \
--cc=hans@schillstrom.com \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=lvs-devel@vger.kernel.org \
--cc=wensong@linux-vs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.