From: Patrick McHardy <kaber@trash.net>
To: Simon Horman <horms@verge.net.au>
Cc: Linux Netdev List <netdev@vger.kernel.org>,
Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>
Subject: Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed
Date: Mon, 14 May 2007 12:21:34 +0200 [thread overview]
Message-ID: <4648382E.8030009@trash.net> (raw)
In-Reply-To: <200704271705.l3RH5Brw026873@hera.kernel.org>
Linux Kernel Mailing List wrote:
> Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2d771cd86d4c3af26f34a7bcdc1b87696824cad9
> Commit: 2d771cd86d4c3af26f34a7bcdc1b87696824cad9
>
> [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed
>
> this is a small patch by Janusz Krzysztofik to ip_route_output_slow()
> that allows VIP-less LVS linux director to generate packets
> originating >From VIP if sysctl_ip_nonlocal_bind is set.
>
> In a nutshell, the intention is for an LVS linux director to be able
> to send ICMP unreachable responses to end-users when real-servers are
> removed.
>
> http://archive.linuxvirtualserver.org/html/lvs-users/2007-01/msg00106.html
>
> Signed-off-by: Simon Horman <horms@verge.net.au>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> ---
> net/ipv4/route.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index df9fe4f..cb76e3c 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -2396,7 +2396,7 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
>
> /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
> dev_out = ip_dev_find(oldflp->fl4_src);
> - if (dev_out == NULL)
> + if ((dev_out == NULL) && !(sysctl_ip_nonlocal_bind))
> goto out;
This allows any user to send spoofed packets when ip_nonlocal_bind
is set, which is a quite big change in behaviour of this option.
The TPROXY patches include a similar change, but use a flag in
struct flowi that requires CAP_NET_ADMIN to be set, which seems like
a better idea. Alternatively you could just use input routing for
non-local source addresses like ip_route_me_harder does.
BTW, there doesn't even seem to be a spot where IPVS calls
ip_route_output with the source address set. What exactly is this
needed for?
next parent reply other threads:[~2007-05-14 10:23 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200704271705.l3RH5Brw026873@hera.kernel.org>
2007-05-14 10:21 ` Patrick McHardy [this message]
2007-05-14 10:35 ` [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed David Miller
2007-05-14 14:25 ` Janusz Krzysztofik
2007-05-14 14:32 ` Patrick McHardy
2007-05-14 15:49 ` Janusz Krzysztofik
2007-05-14 17:41 ` Patrick McHardy
2007-05-15 5:26 ` Simon Horman
2007-05-15 9:46 ` Janusz Krzysztofik
2007-05-15 16:11 ` Patrick McHardy
2007-05-15 23:41 ` Julian Anastasov
2007-05-17 11:25 ` Janusz Krzysztofik
2007-05-17 16:41 ` Patrick McHardy
2007-05-17 16:40 ` Patrick McHardy
2007-05-17 20:51 ` David Miller
2007-05-18 1:06 ` Simon Horman
2007-05-18 8:40 ` Julian Anastasov
2007-05-18 9:05 ` David Miller
2007-05-30 9:38 ` KOVACS Krisztian
2007-05-31 0:21 ` Julian Anastasov
2007-05-31 12:50 ` KOVACS Krisztian
2007-05-31 23:18 ` Julian Anastasov
2007-06-01 12:55 ` KOVACS Krisztian
2007-06-20 10:57 ` Balazs Scheidler
2007-06-21 7:56 ` Julian Anastasov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4648382E.8030009@trash.net \
--to=kaber@trash.net \
--cc=horms@verge.net.au \
--cc=jkrzyszt@tis.icnet.pl \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.