From: Patrick McHardy <kaber@trash.net>
To: Julian Anastasov <ja@ssi.bg>
Cc: Simon Horman <horms@verge.net.au>,
lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/3] ipvs: Netfilter connection tracking changes
Date: Tue, 21 Sep 2010 17:36:55 +0200 [thread overview]
Message-ID: <4C98D117.3060807@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.58.1009162342590.6976@u.domain.uli>
Am 16.09.2010 22:46, schrieb Julian Anastasov:
> Add more code to IPVS to work with Netfilter connection
> tracking and fix some problems.
>
> - Allow IPVS to be compiled without connection tracking as in
> 2.6.35 and before. This can avoid keeping conntracks for all
> IPVS connections because this costs memory. ip_vs_ftp still
> depends on connection tracking and NAT as implemented for 2.6.36.
>
> - Add sysctl var "conntrack" to enable connection tracking for
> all IPVS connections. For loaded IPVS directors it needs
> tuning of nf_conntrack_max limit.
>
> - Add IP_VS_CONN_F_NFCT connection flag to request the connection
> to use connection tracking. This allows user space to provide this
> flag, for example, in dest->conn_flags. This can be useful to
> request connection tracking per real server instead of forcing it
> for all connections with the "conntrack" sysctl. This flag is
> set currently only by ip_vs_ftp and of course by "conntrack" sysctl.
>
> - Add ip_vs_nfct.c file to hold all connection tracking code,
> by this way main code should not depend of netfilter conntrack
> support.
>
> - Return back the ip_vs_post_routing handler as in 2.6.35 and use
> skb->ipvs_property=1 to allow IPVS to work without connection
> tracking
>
> Connection tracking:
>
> - most of the code is already in 2.6.36-rc
>
> - alter conntrack reply tuple for LVS-NAT connections when first packet
> from client is forwarded and conntrack state is NEW or RELATED.
> Additionally, alter reply for RELATED connections from real server,
> again for packet in original direction.
>
> - add IP_VS_XMIT_TUNNEL to confirm conntrack (without altering
> reply) for LVS-TUN early because we want to call nf_reset. It is
> needed because we add IPIP header and the original conntrack
> should be preserved, not destroyed. The transmitted IPIP packets
> can reuse same conntrack, so we do not set skb->ipvs_property.
>
> - try to destroy conntrack when the IPVS connection is destroyed.
> It is not fatal if conntrack disappears before that, it depends
> on the used timers.
>
> Fix problems from long time:
>
> - add skb->ip_summed = CHECKSUM_NONE for the LVS-TUN transmitters
>
> Signed-off-by: Julian Anastasov <ja@ssi.bg>
Applied, thanks.
prev parent reply other threads:[~2010-09-21 15:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-16 20:46 [PATCH 2/3] ipvs: Netfilter connection tracking changes Julian Anastasov
2010-09-17 12:28 ` Patrick McHardy
2010-09-17 19:38 ` Julian Anastasov
2010-09-19 12:00 ` Simon Horman
2010-09-21 14:58 ` Patrick McHardy
2010-09-21 14:56 ` Patrick McHardy
2010-09-21 15:36 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C98D117.3060807@trash.net \
--to=kaber@trash.net \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=lvs-devel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.