From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 17/34] ipvs: Supply destination address family to ip_vs_conn_new
Date: Mon, 29 Sep 2014 14:39:06 +0200 [thread overview]
Message-ID: <1411994363-8451-18-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1411994363-8451-1-git-send-email-pablo@netfilter.org>
From: Alex Gartrell <agartrell@fb.com>
The assumption that dest af is equal to service af is now unreliable, so we
must specify it manually so as not to copy just the first 4 bytes of a v6
address or doing an illegal read of 16 butes on a v6 address.
We "lie" in two places: for synchronization (which we will explicitly
disallow from happening when we have heterogeneous pools) and for black
hole addresses where there's no real dest.
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
include/net/ip_vs.h | 3 ++-
net/netfilter/ipvs/ip_vs_conn.c | 5 +++--
net/netfilter/ipvs/ip_vs_core.c | 9 +++++----
net/netfilter/ipvs/ip_vs_ftp.c | 6 ++++--
net/netfilter/ipvs/ip_vs_sync.c | 3 ++-
5 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 2fa1155..7600dbe 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -535,6 +535,7 @@ struct ip_vs_conn {
union nf_inet_addr daddr; /* destination address */
volatile __u32 flags; /* status flags */
__u16 protocol; /* Which protocol (TCP/UDP) */
+ __u16 daf; /* Address family of the dest */
#ifdef CONFIG_NET_NS
struct net *net; /* Name space */
#endif
@@ -1213,7 +1214,7 @@ static inline void __ip_vs_conn_put(struct ip_vs_conn *cp)
void ip_vs_conn_put(struct ip_vs_conn *cp);
void ip_vs_conn_fill_cport(struct ip_vs_conn *cp, __be16 cport);
-struct ip_vs_conn *ip_vs_conn_new(const struct ip_vs_conn_param *p,
+struct ip_vs_conn *ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af,
const union nf_inet_addr *daddr,
__be16 dport, unsigned int flags,
struct ip_vs_dest *dest, __u32 fwmark);
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 8f4c602..fdb4880 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -854,7 +854,7 @@ void ip_vs_conn_expire_now(struct ip_vs_conn *cp)
* Create a new connection entry and hash it into the ip_vs_conn_tab
*/
struct ip_vs_conn *
-ip_vs_conn_new(const struct ip_vs_conn_param *p,
+ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af,
const union nf_inet_addr *daddr, __be16 dport, unsigned int flags,
struct ip_vs_dest *dest, __u32 fwmark)
{
@@ -873,6 +873,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
setup_timer(&cp->timer, ip_vs_conn_expire, (unsigned long)cp);
ip_vs_conn_net_set(cp, p->net);
cp->af = p->af;
+ cp->daf = dest_af;
cp->protocol = p->protocol;
ip_vs_addr_set(p->af, &cp->caddr, p->caddr);
cp->cport = p->cport;
@@ -880,7 +881,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
ip_vs_addr_set(p->protocol == IPPROTO_IP ? AF_UNSPEC : p->af,
&cp->vaddr, p->vaddr);
cp->vport = p->vport;
- ip_vs_addr_set(p->af, &cp->daddr, daddr);
+ ip_vs_addr_set(cp->daf, &cp->daddr, daddr);
cp->dport = dport;
cp->flags = flags;
cp->fwmark = fwmark;
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 5c34e8d..1f6ecb7 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -328,7 +328,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
* This adds param.pe_data to the template,
* and thus param.pe_data will be destroyed
* when the template expires */
- ct = ip_vs_conn_new(¶m, &dest->addr, dport,
+ ct = ip_vs_conn_new(¶m, dest->af, &dest->addr, dport,
IP_VS_CONN_F_TEMPLATE, dest, skb->mark);
if (ct == NULL) {
kfree(param.pe_data);
@@ -357,7 +357,8 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol, &iph->saddr,
src_port, &iph->daddr, dst_port, ¶m);
- cp = ip_vs_conn_new(¶m, &dest->addr, dport, flags, dest, skb->mark);
+ cp = ip_vs_conn_new(¶m, dest->af, &dest->addr, dport, flags, dest,
+ skb->mark);
if (cp == NULL) {
ip_vs_conn_put(ct);
*ignored = -1;
@@ -479,7 +480,7 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol,
&iph->saddr, pptr[0], &iph->daddr,
pptr[1], &p);
- cp = ip_vs_conn_new(&p, &dest->addr,
+ cp = ip_vs_conn_new(&p, dest->af, &dest->addr,
dest->port ? dest->port : pptr[1],
flags, dest, skb->mark);
if (!cp) {
@@ -550,7 +551,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
ip_vs_conn_fill_param(svc->net, svc->af, iph->protocol,
&iph->saddr, pptr[0],
&iph->daddr, pptr[1], &p);
- cp = ip_vs_conn_new(&p, &daddr, 0,
+ cp = ip_vs_conn_new(&p, svc->af, &daddr, 0,
IP_VS_CONN_F_BYPASS | flags,
NULL, skb->mark);
if (!cp)
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index 77c1732..a64fa15 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -233,7 +233,8 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
ip_vs_conn_fill_param(ip_vs_conn_net(cp),
AF_INET, IPPROTO_TCP, &cp->caddr,
0, &cp->vaddr, port, &p);
- n_cp = ip_vs_conn_new(&p, &from, port,
+ /* As above, this is ipv4 only */
+ n_cp = ip_vs_conn_new(&p, AF_INET, &from, port,
IP_VS_CONN_F_NO_CPORT |
IP_VS_CONN_F_NFCT,
cp->dest, skb->mark);
@@ -396,7 +397,8 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
htons(ntohs(cp->vport)-1), &p);
n_cp = ip_vs_conn_in_get(&p);
if (!n_cp) {
- n_cp = ip_vs_conn_new(&p, &cp->daddr,
+ /* This is ipv4 only */
+ n_cp = ip_vs_conn_new(&p, AF_INET, &cp->daddr,
htons(ntohs(cp->dport)-1),
IP_VS_CONN_F_NFCT, cp->dest,
skb->mark);
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index edd2664..7162c86 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -889,7 +889,8 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
param->vaddr, param->vport, protocol,
fwmark, flags);
- cp = ip_vs_conn_new(param, daddr, dport, flags, dest, fwmark);
+ cp = ip_vs_conn_new(param, type, daddr, dport, flags, dest,
+ fwmark);
rcu_read_unlock();
if (!cp) {
kfree(param->pe_data);
--
1.7.10.4
next prev parent reply other threads:[~2014-09-29 12:39 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-29 12:38 [PATCH 00/34] pull request: netfilter/ipvs updates for net-next Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 01/34] netfilter: fix compilation of masquerading without IP_NF_TARGET_MASQUERADE Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 02/34] netfilter: nf_tables: add NFTA_MASQ_UNSPEC to nft_masq_attributes Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 03/34] netfilter: NFT_CHAIN_NAT_IPV* is independent of NFT_NAT Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 04/34] netfilter: masquerading needs to be independent of x_tables in Kconfig Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 05/34] netfilter: ipset: Fix static checker warning in ip_set_core.c Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 06/34] netfilter: ipset: Add skbinfo extension kernel support in the ipset core Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 07/34] netfilter: ipset: Add skbinfo extension kernel support for the bitmap set types Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 08/34] netfilter: ipset: Add skbinfo extension kernel support for the hash " Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 09/34] netfilter: ipset: Add skbinfo extension kernel support for the list set type Pablo Neira Ayuso
2014-09-29 12:38 ` [PATCH 10/34] netfilter: ipset: Add skbinfo extension support to SET target Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 11/34] netfilter: ipset: send nonzero skbinfo extensions only Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 12/34] netfilter: ipset: hash:mac type added to ipset Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 13/34] ipvs: Add simple weighted failover scheduler Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 14/34] ipvs: Add destination address family to netlink interface Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 15/34] ipvs: Supply destination addr family to ip_vs_{lookup_dest,find_dest} Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 16/34] ipvs: Pass destination address family to ip_vs_trash_get_dest Pablo Neira Ayuso
2014-09-29 12:39 ` Pablo Neira Ayuso [this message]
2014-09-29 12:39 ` [PATCH 18/34] ipvs: prevent mixing heterogeneous pools and synchronization Pablo Neira Ayuso
2014-09-29 16:17 ` Sergei Shtylyov
2014-09-30 2:21 ` Simon Horman
2014-09-29 12:39 ` [PATCH 19/34] ipvs: Pull out crosses_local_route_boundary logic Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 20/34] ipvs: Pull out update_pmtu code Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 21/34] ipvs: Add generic ensure_mtu_is_adequate to handle mixed pools Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 22/34] ipvs: support ipv4 in ipv6 and ipv6 in ipv4 tunnel forwarding Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 23/34] ipvs: address family of LBLC entry depends on svc family Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 24/34] ipvs: address family of LBLCR " Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 25/34] ipvs: use correct address family in scheduler logs Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 26/34] ipvs: use the new dest addr family field Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 27/34] ipvs: Allow heterogeneous pools now that we support them Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 28/34] netfilter: nfnetlink: use original skbuff when committing/aborting Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 29/34] netfilter: nf_tables: export rule-set generation ID Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 30/34] net/netfilter/x_tables.c: use __seq_open_private() Pablo Neira Ayuso
2014-09-29 16:07 ` Sergei Shtylyov
2014-09-29 12:39 ` [PATCH 31/34] netfilter: bridge: nf_bridge_copy_header as static inline in header Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 32/34] netfilter: bridge: move br_netfilter out of the core Pablo Neira Ayuso
2014-09-29 22:04 ` Eric Dumazet
2014-09-29 23:17 ` Florian Westphal
2014-09-30 8:56 ` Pablo Neira Ayuso
2014-09-30 15:58 ` Stephen Hemminger
2014-10-01 10:33 ` Pablo Neira Ayuso
2014-09-29 12:39 ` [PATCH 33/34] netfilter: nf_tables: store and dump set policy Pablo Neira Ayuso
2014-09-29 16:14 ` Sergei Shtylyov
2014-10-01 13:47 ` Arturo Borrero Gonzalez
2014-09-29 12:39 ` [PATCH 34/34] netfilter: conntrack: disable generic tracking for known protocols Pablo Neira Ayuso
2014-09-29 18:54 ` [PATCH 00/34] pull request: netfilter/ipvs updates for net-next David Miller
2014-09-30 0:22 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1411994363-8451-18-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).