From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Ricardo Leitner Subject: Re: [PATCH RFC] ipvs: reschedule new connections if previous was on FIN_WAIT or TIME_WAIT Date: Mon, 08 Dec 2014 12:29:10 -0200 Message-ID: <5485B5B6.7070909@redhat.com> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: lvs-devel-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: lvs-devel@vger.kernel.org (I'll repost if the idea is accepted, this one is just for discussion) On 08-12-2014 12:27, Marcelo Ricardo Leitner wrote: > Signed-off-by: Marcelo Ricardo Leitner > --- > > Notes: > Hi, > > We have a report that not doing so may cause poor load balacing if > applications reuse src port. With a patch like this, it would make > new SYNs on a given connection to drop the old one and start a new > one. > > One could say that this reuse can be done on purpose and carefully > as a way to cause poor load balancing to cause a DoS. > > Thing is, I'm unsure if we really should do this, as it may end up > doing more harm than good. > > WDYT? And if we do additional checks, like at least validating seq > number, would it be better? > > Thanks, > Marcelo > > net/netfilter/ipvs/ip_vs_core.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c > index 990decba1fe418e36e59a1f081fcf0e47188da29..e81a9ac3c7e4e25fb14953b7faa4ace054f51274 100644 > --- a/net/netfilter/ipvs/ip_vs_core.c > +++ b/net/netfilter/ipvs/ip_vs_core.c > @@ -1036,6 +1036,14 @@ static inline bool is_new_conn(const struct sk_buff *skb, > } > } > > +static inline bool is_new_conn_expected(const struct ip_vs_conn *cp) > +{ > + if (cp->protocol != IPPROTO_TCP) > + return false; > + return (cp->state == IP_VS_TCP_S_TIME_WAIT) || > + (cp->state == IP_VS_TCP_S_FIN_WAIT); > +} > + > /* Handle response packets: rewrite addresses and send away... > */ > static unsigned int > @@ -1642,9 +1650,10 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) > */ > cp = pp->conn_in_get(af, skb, &iph, 0); > > - if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp && cp->dest && > - unlikely(!atomic_read(&cp->dest->weight)) && !iph.fragoffs && > - is_new_conn(skb, &iph)) { > + if (cp && cp->dest && !iph.fragoffs && is_new_conn(skb, &iph) && > + ((unlikely(sysctl_expire_nodest_conn(ipvs)) && > + unlikely(!atomic_read(&cp->dest->weight))) || > + unlikely(is_new_conn_expected(cp)))) { > ip_vs_conn_expire_now(cp); > __ip_vs_conn_put(cp); > cp = NULL; >