From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 05/18] ipvs: allow rescheduling after RST
Date: Tue, 15 Mar 2016 02:27:49 +0100 [thread overview]
Message-ID: <1458005282-24665-6-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1458005282-24665-1-git-send-email-pablo@netfilter.org>
From: Julian Anastasov <ja@ssi.bg>
"RFC 5961, 4.2. Mitigation" describes a mechanism to request
client to confirm with RST the restart of TCP connection
before resending its SYN. As result, IPVS can see SYNs for
existing connection in CLOSE state. Add check to allow
rescheduling in this state.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
net/netfilter/ipvs/ip_vs_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 4da5600..b9a4082 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1089,6 +1089,7 @@ static inline bool is_new_conn_expected(const struct ip_vs_conn *cp,
switch (cp->protocol) {
case IPPROTO_TCP:
return (cp->state == IP_VS_TCP_S_TIME_WAIT) ||
+ (cp->state == IP_VS_TCP_S_CLOSE) ||
((conn_reuse_mode & 2) &&
(cp->state == IP_VS_TCP_S_FIN_WAIT) &&
(cp->flags & IP_VS_CONN_F_NOOUTPUT));
--
2.1.4
next prev parent reply other threads:[~2016-03-15 1:28 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-15 1:27 [PATCH 00/18] Netfilter/IPVS/OVS updates for net-next Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 01/18] netfilter: ipset: Fix set:list type crash when flush/dump set in parallel Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 02/18] netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 03/18] ipvs: handle ip_vs_fill_iph_skb_off failure Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 04/18] ipvs: drop first packet to redirect conntrack Pablo Neira Ayuso
2016-03-15 1:27 ` Pablo Neira Ayuso [this message]
2016-03-15 1:27 ` [PATCH 06/18] ipvs: correct initial offset of Call-ID header search in SIP persistence engine Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 07/18] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 08/18] netfilter: nft_compat: check match/targetinfo attr size Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 09/18] netfilter: x_tables: check for size overflow Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 10/18] netfilter: Remove IP_CT_NEW_REPLY definition Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 11/18] netfilter: Allow calling into nat helper without skb_dst Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 12/18] openvswitch: Add commentary to conntrack.c Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 13/18] openvswitch: Update the CT state key only after nf_conntrack_in() Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 14/18] openvswitch: Find existing conntrack entry after upcall Pablo Neira Ayuso
2016-03-15 1:27 ` [PATCH 15/18] openvswitch: Handle NF_REPEAT in conntrack action Pablo Neira Ayuso
2016-03-15 1:28 ` [PATCH 16/18] openvswitch: Delay conntrack helper call for new connections Pablo Neira Ayuso
2016-03-15 1:28 ` [PATCH 17/18] openvswitch: Interface with NAT Pablo Neira Ayuso
2016-03-15 1:28 ` [PATCH 18/18] netfilter: nf_conntrack: consolidate lock/unlock into unlock_wait Pablo Neira Ayuso
2016-03-15 2:33 ` [PATCH 00/18] Netfilter/IPVS/OVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458005282-24665-6-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).