* netfilter tree for 2.6.38 is open @ 2011-01-12 21:17 Pablo Neira Ayuso 2011-01-13 11:13 ` [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" Eric Dumazet 0 siblings, 1 reply; 15+ messages in thread From: Pablo Neira Ayuso @ 2011-01-12 21:17 UTC (permalink / raw) To: Netfilter Development Mailinglist Hi, My netfilter tree for 2.6.38 is open. You can find it at: http://1984.lsi.us.es/git/?p=net-next-2.6/.git;a=summary I'm iterating over the list of pending patches since Dec 16th 2010. Please, resubmit your patches if I missed them. Thanks! ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" 2011-01-12 21:17 netfilter tree for 2.6.38 is open Pablo Neira Ayuso @ 2011-01-13 11:13 ` Eric Dumazet 2011-01-13 11:23 ` Pablo Neira Ayuso 0 siblings, 1 reply; 15+ messages in thread From: Eric Dumazet @ 2011-01-13 11:13 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Netfilter Development Mailinglist, netdev, Patrick McHardy ipt_CLUSTERIP users might hit this annoying printk, if they forgot an "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP rule. We could use net_ratelimit() here, or not log the message at all. I chose to log it once per config. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Patrick McHardy <kaber@trash.net> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1e26a48..bac8739 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -47,6 +47,7 @@ struct clusterip_config { u_int8_t clustermac[ETH_ALEN]; /* the MAC address */ struct net_device *dev; /* device */ u_int16_t num_total_nodes; /* total number of nodes */ + bool warned_no_conntrack; unsigned long local_nodes; /* node number array */ #ifdef CONFIG_PROC_FS @@ -301,10 +302,14 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) ct = nf_ct_get(skb, &ctinfo); if (ct == NULL) { - pr_info("no conntrack!\n"); - /* FIXME: need to drop invalid ones, since replies - * to outgoing connections of other nodes will be - * marked as INVALID */ + if (unlikely(!cipinfo->config->warned_no_conntrack)) { + cipinfo->config->warned_no_conntrack = true; + pr_info("no conntrack!\n"); + } + /* FIXME: need to drop invalid ones, since replies + * to outgoing connections of other nodes will be + * marked as INVALID + */ return NF_DROP; } ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" 2011-01-13 11:13 ` [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" Eric Dumazet @ 2011-01-13 11:23 ` Pablo Neira Ayuso 2011-01-13 11:28 ` Patrick McHardy 2011-01-13 11:32 ` Eric Dumazet 0 siblings, 2 replies; 15+ messages in thread From: Pablo Neira Ayuso @ 2011-01-13 11:23 UTC (permalink / raw) To: Eric Dumazet; +Cc: Netfilter Development Mailinglist, netdev, Patrick McHardy Hi Eric, On 13/01/11 12:13, Eric Dumazet wrote: > ipt_CLUSTERIP users might hit this annoying printk, if they forgot an > "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP > rule. We could use net_ratelimit() here, or not log the message at all. > I chose to log it once per config. I think that this should be converted to pr_debug() instead, there's also another reference to "unknown protocol" that should be converted as well. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" 2011-01-13 11:23 ` Pablo Neira Ayuso @ 2011-01-13 11:28 ` Patrick McHardy 2011-01-13 11:29 ` Pablo Neira Ayuso 2011-01-13 11:36 ` Eric Dumazet 2011-01-13 11:32 ` Eric Dumazet 1 sibling, 2 replies; 15+ messages in thread From: Patrick McHardy @ 2011-01-13 11:28 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Eric Dumazet, Netfilter Development Mailinglist, netdev On 13.01.2011 12:23, Pablo Neira Ayuso wrote: > Hi Eric, > > On 13/01/11 12:13, Eric Dumazet wrote: >> ipt_CLUSTERIP users might hit this annoying printk, if they forgot an >> "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP >> rule. We could use net_ratelimit() here, or not log the message at all. >> I chose to log it once per config. > > I think that this should be converted to pr_debug() instead, there's > also another reference to "unknown protocol" that should be converted as > well. I think the FIXME could also be removed, we *do* drop invalid packets in CLUSTERIP. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" 2011-01-13 11:28 ` Patrick McHardy @ 2011-01-13 11:29 ` Pablo Neira Ayuso 2011-01-13 11:36 ` Eric Dumazet 1 sibling, 0 replies; 15+ messages in thread From: Pablo Neira Ayuso @ 2011-01-13 11:29 UTC (permalink / raw) To: Patrick McHardy; +Cc: Eric Dumazet, Netfilter Development Mailinglist, netdev On 13/01/11 12:28, Patrick McHardy wrote: > On 13.01.2011 12:23, Pablo Neira Ayuso wrote: >> Hi Eric, >> >> On 13/01/11 12:13, Eric Dumazet wrote: >>> ipt_CLUSTERIP users might hit this annoying printk, if they forgot an >>> "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP >>> rule. We could use net_ratelimit() here, or not log the message at all. >>> I chose to log it once per config. >> >> I think that this should be converted to pr_debug() instead, there's >> also another reference to "unknown protocol" that should be converted as >> well. > > I think the FIXME could also be removed, we *do* drop invalid > packets in CLUSTERIP. Hey! You're back! :-) ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" 2011-01-13 11:28 ` Patrick McHardy 2011-01-13 11:29 ` Pablo Neira Ayuso @ 2011-01-13 11:36 ` Eric Dumazet 1 sibling, 0 replies; 15+ messages in thread From: Eric Dumazet @ 2011-01-13 11:36 UTC (permalink / raw) To: Patrick McHardy Cc: Pablo Neira Ayuso, Netfilter Development Mailinglist, netdev Le jeudi 13 janvier 2011 à 12:28 +0100, Patrick McHardy a écrit : > On 13.01.2011 12:23, Pablo Neira Ayuso wrote: > > Hi Eric, > > > > On 13/01/11 12:13, Eric Dumazet wrote: > >> ipt_CLUSTERIP users might hit this annoying printk, if they forgot an > >> "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP > >> rule. We could use net_ratelimit() here, or not log the message at all. > >> I chose to log it once per config. > > > > I think that this should be converted to pr_debug() instead, there's > > also another reference to "unknown protocol" that should be converted as > > well. > > I think the FIXME could also be removed, we *do* drop invalid > packets in CLUSTERIP. Ah yes indeed :) Thanks ! [PATCH v3] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" ipt_CLUSTERIP users might hit this annoying printk, if they forgot an "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP rule. We could use net_ratelimit() here, or not log the message at all. I chose to log it once per config. Pablo suggested to use same logic for the "unknown protocol" message Patrick asked to remove an obsolete comment. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Patrick McHardy <kaber@trash.net> CC: Pablo Neira Ayuso <pablo@netfilter.org> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1e26a48..b5cf3e4 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -47,6 +47,8 @@ struct clusterip_config { u_int8_t clustermac[ETH_ALEN]; /* the MAC address */ struct net_device *dev; /* device */ u_int16_t num_total_nodes; /* total number of nodes */ + bool warned_no_conntrack; + bool warned_unknown_protocol; unsigned long local_nodes; /* node number array */ #ifdef CONFIG_PROC_FS @@ -228,7 +230,7 @@ clusterip_del_node(struct clusterip_config *c, u_int16_t nodenum) static inline u_int32_t clusterip_hashfn(const struct sk_buff *skb, - const struct clusterip_config *config) + struct clusterip_config *config) { const struct iphdr *iph = ip_hdr(skb); unsigned long hashval; @@ -236,7 +238,7 @@ clusterip_hashfn(const struct sk_buff *skb, int poff; poff = proto_ports_offset(iph->protocol); - if (poff >= 0) { + if (likely(poff >= 0)) { const u_int16_t *ports; u16 _ports[2]; @@ -246,8 +248,10 @@ clusterip_hashfn(const struct sk_buff *skb, dport = ports[1]; } } else { - if (net_ratelimit()) + if (unlikely(!config->warned_unknown_protocol)) { + config->warned_unknown_protocol = true; pr_info("unknown protocol %u\n", iph->protocol); + } } switch (config->hash_mode) { @@ -301,10 +305,10 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) ct = nf_ct_get(skb, &ctinfo); if (ct == NULL) { - pr_info("no conntrack!\n"); - /* FIXME: need to drop invalid ones, since replies - * to outgoing connections of other nodes will be - * marked as INVALID */ + if (unlikely(!cipinfo->config->warned_no_conntrack)) { + cipinfo->config->warned_no_conntrack = true; + pr_info("no conntrack!\n"); + } return NF_DROP; } -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" 2011-01-13 11:23 ` Pablo Neira Ayuso 2011-01-13 11:28 ` Patrick McHardy @ 2011-01-13 11:32 ` Eric Dumazet 2011-01-13 11:54 ` Pablo Neira Ayuso 1 sibling, 1 reply; 15+ messages in thread From: Eric Dumazet @ 2011-01-13 11:32 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Netfilter Development Mailinglist, netdev, Patrick McHardy Le jeudi 13 janvier 2011 à 12:23 +0100, Pablo Neira Ayuso a écrit : > Hi Eric, > > On 13/01/11 12:13, Eric Dumazet wrote: > > ipt_CLUSTERIP users might hit this annoying printk, if they forgot an > > "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP > > rule. We could use net_ratelimit() here, or not log the message at all. > > I chose to log it once per config. > > I think that this should be converted to pr_debug() instead, there's > also another reference to "unknown protocol" that should be converted as > well. Problem is pr_debug() is a noop most of the time, and printk(KERN_DEBUG is a bit ugly ... If we print the message once, better to really print it ;) [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" ipt_CLUSTERIP users might hit this annoying printk, if they forgot an "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP rule. We could use net_ratelimit() here, or not log the message at all. I chose to log it once per config. Pablo suggested to use same logic for the "unknown protocol" message Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Patrick McHardy <kaber@trash.net> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1e26a48..2968571 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -47,6 +47,8 @@ struct clusterip_config { u_int8_t clustermac[ETH_ALEN]; /* the MAC address */ struct net_device *dev; /* device */ u_int16_t num_total_nodes; /* total number of nodes */ + bool warned_no_conntrack; + bool warned_unknown_protocol; unsigned long local_nodes; /* node number array */ #ifdef CONFIG_PROC_FS @@ -228,7 +230,7 @@ clusterip_del_node(struct clusterip_config *c, u_int16_t nodenum) static inline u_int32_t clusterip_hashfn(const struct sk_buff *skb, - const struct clusterip_config *config) + struct clusterip_config *config) { const struct iphdr *iph = ip_hdr(skb); unsigned long hashval; @@ -236,7 +238,7 @@ clusterip_hashfn(const struct sk_buff *skb, int poff; poff = proto_ports_offset(iph->protocol); - if (poff >= 0) { + if (likely(poff >= 0)) { const u_int16_t *ports; u16 _ports[2]; @@ -246,8 +248,10 @@ clusterip_hashfn(const struct sk_buff *skb, dport = ports[1]; } } else { - if (net_ratelimit()) + if (unlikely(!config->warned_unknown_protocol)) { + config->warned_unknown_protocol = true; pr_info("unknown protocol %u\n", iph->protocol); + } } switch (config->hash_mode) { @@ -301,10 +305,14 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) ct = nf_ct_get(skb, &ctinfo); if (ct == NULL) { - pr_info("no conntrack!\n"); - /* FIXME: need to drop invalid ones, since replies - * to outgoing connections of other nodes will be - * marked as INVALID */ + if (unlikely(!cipinfo->config->warned_no_conntrack)) { + cipinfo->config->warned_no_conntrack = true; + pr_info("no conntrack!\n"); + } + /* FIXME: need to drop invalid ones, since replies + * to outgoing connections of other nodes will be + * marked as INVALID + */ return NF_DROP; } -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" 2011-01-13 11:32 ` Eric Dumazet @ 2011-01-13 11:54 ` Pablo Neira Ayuso 2011-01-13 13:38 ` [PATCH v4] netfilter: ipt_CLUSTERIP: remove " Eric Dumazet 0 siblings, 1 reply; 15+ messages in thread From: Pablo Neira Ayuso @ 2011-01-13 11:54 UTC (permalink / raw) To: Eric Dumazet; +Cc: Netfilter Development Mailinglist, netdev, Patrick McHardy On 13/01/11 12:32, Eric Dumazet wrote: > Le jeudi 13 janvier 2011 à 12:23 +0100, Pablo Neira Ayuso a écrit : >> Hi Eric, >> >> On 13/01/11 12:13, Eric Dumazet wrote: >>> ipt_CLUSTERIP users might hit this annoying printk, if they forgot an >>> "iptables -I INPUT -m state --state INVALID -j DROP" before CLUSTERIP >>> rule. We could use net_ratelimit() here, or not log the message at all. >>> I chose to log it once per config. >> >> I think that this should be converted to pr_debug() instead, there's >> also another reference to "unknown protocol" that should be converted as >> well. > > Problem is pr_debug() is a noop most of the time, > and printk(KERN_DEBUG is a bit ugly ... > > If we print the message once, better to really print it ;) But printing this does not provide any useful information. The first packet that does not belong to the cluster node that has received the packet, or the first invalid packet, will trigger this. Moreover, this confuses users since they can do nothing if they receive this message. Moreover, this target should be supersedes by the cluster match, which has been there for quite some time (it's also more flexible). ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" 2011-01-13 11:54 ` Pablo Neira Ayuso @ 2011-01-13 13:38 ` Eric Dumazet 2011-01-13 14:02 ` Jan Engelhardt 0 siblings, 1 reply; 15+ messages in thread From: Eric Dumazet @ 2011-01-13 13:38 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Netfilter Development Mailinglist, netdev, Patrick McHardy Le jeudi 13 janvier 2011 à 12:54 +0100, Pablo Neira Ayuso a écrit : > But printing this does not provide any useful information. The first > packet that does not belong to the cluster node that has received the > packet, or the first invalid packet, will trigger this. > > Moreover, this confuses users since they can do nothing if they receive > this message. > > Moreover, this target should be supersedes by the cluster match, which > has been there for quite some time (it's also more flexible). Now you mentioned it, cluster match is not as flexible right now, its hashing is on source_ip only. Many people still use ipt_CLUSTERIP, and probably for couple of years. This issue was raised several times, we should fix CLUSTERIP for good. Thanks [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" When a packet is meant to be handled by another node of the cluster, silently drop it instead of flooding kernel log. Note : INVALID packets are also dropped without notice. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Patrick McHardy <kaber@trash.net> CC: Pablo Neira Ayuso <pablo@netfilter.org> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1e26a48..403ca57 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -300,13 +300,8 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) * that the ->target() function isn't called after ->destroy() */ ct = nf_ct_get(skb, &ctinfo); - if (ct == NULL) { - pr_info("no conntrack!\n"); - /* FIXME: need to drop invalid ones, since replies - * to outgoing connections of other nodes will be - * marked as INVALID */ + if (ct == NULL) return NF_DROP; - } /* special case: ICMP error handling. conntrack distinguishes between * error messages (RELATED) and information requests (see below) */ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" 2011-01-13 13:38 ` [PATCH v4] netfilter: ipt_CLUSTERIP: remove " Eric Dumazet @ 2011-01-13 14:02 ` Jan Engelhardt 2011-01-13 14:39 ` Eric Dumazet 0 siblings, 1 reply; 15+ messages in thread From: Jan Engelhardt @ 2011-01-13 14:02 UTC (permalink / raw) To: Eric Dumazet Cc: Pablo Neira Ayuso, Netfilter Development Mailinglist, netdev, Patrick McHardy On Thursday 2011-01-13 14:38, Eric Dumazet wrote: >Le jeudi 13 janvier 2011 à 12:54 +0100, Pablo Neira Ayuso a écrit : > >> But printing this does not provide any useful information. The first >> packet that does not belong to the cluster node that has received the >> packet, or the first invalid packet, will trigger this. >> >> Moreover, this confuses users since they can do nothing if they receive >> this message. >> >> Moreover, this target should be supersedes by the cluster match, which >> has been there for quite some time (it's also more flexible). > >Now you mentioned it, cluster match is not as flexible right now, >its hashing is on source_ip only. I think in that case, xt_cluster should be improved rather than an old module. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" 2011-01-13 14:02 ` Jan Engelhardt @ 2011-01-13 14:39 ` Eric Dumazet 2011-01-13 16:30 ` Pablo Neira Ayuso 0 siblings, 1 reply; 15+ messages in thread From: Eric Dumazet @ 2011-01-13 14:39 UTC (permalink / raw) To: Jan Engelhardt Cc: Pablo Neira Ayuso, Netfilter Development Mailinglist, netdev, Patrick McHardy Le jeudi 13 janvier 2011 à 15:02 +0100, Jan Engelhardt a écrit : > On Thursday 2011-01-13 14:38, Eric Dumazet wrote: > > >Le jeudi 13 janvier 2011 à 12:54 +0100, Pablo Neira Ayuso a écrit : > > > >> But printing this does not provide any useful information. The first > >> packet that does not belong to the cluster node that has received the > >> packet, or the first invalid packet, will trigger this. > >> > >> Moreover, this confuses users since they can do nothing if they receive > >> this message. > >> > >> Moreover, this target should be supersedes by the cluster match, which > >> has been there for quite some time (it's also more flexible). > > > >Now you mentioned it, cluster match is not as flexible right now, > >its hashing is on source_ip only. > > I think in that case, xt_cluster should be improved rather > than an old module. Amen We should not improve IPv4 support then, I see. My customers use this old module, and upgrading to xt_cluster is not an option. Should we discuss this forever or fix it ? In the end, people are forced to add useless iptables rule to DROP INVALID packets before entering ipt_CLUSTERIP, after googling or eventually asking to experts. Last time this was discussed, this went nowhere : http://www.spinics.net/lists/netfilter/msg48676.html Come on guys, we can do it, dont be afraid. A non rate limited printk() in kernel is forbidden, especially in network stack. Then, cluster match can be improved, I am sure you already have a patch for it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" 2011-01-13 14:39 ` Eric Dumazet @ 2011-01-13 16:30 ` Pablo Neira Ayuso 2011-01-13 16:35 ` Pablo Neira Ayuso 2011-01-18 15:28 ` Patrick McHardy 0 siblings, 2 replies; 15+ messages in thread From: Pablo Neira Ayuso @ 2011-01-13 16:30 UTC (permalink / raw) To: Eric Dumazet Cc: Jan Engelhardt, Netfilter Development Mailinglist, netdev, Patrick McHardy On 13/01/11 15:39, Eric Dumazet wrote: > Le jeudi 13 janvier 2011 à 15:02 +0100, Jan Engelhardt a écrit : >> On Thursday 2011-01-13 14:38, Eric Dumazet wrote: >> >>> Le jeudi 13 janvier 2011 à 12:54 +0100, Pablo Neira Ayuso a écrit : >>> >>>> But printing this does not provide any useful information. The first >>>> packet that does not belong to the cluster node that has received the >>>> packet, or the first invalid packet, will trigger this. >>>> >>>> Moreover, this confuses users since they can do nothing if they receive >>>> this message. >>>> >>>> Moreover, this target should be supersedes by the cluster match, which >>>> has been there for quite some time (it's also more flexible). >>> >>> Now you mentioned it, cluster match is not as flexible right now, >>> its hashing is on source_ip only. >> >> I think in that case, xt_cluster should be improved rather >> than an old module. > > Amen > > We should not improve IPv4 support then, I see. > > My customers use this old module, and upgrading to xt_cluster is not an > option. > > Should we discuss this forever or fix it ? hey hey, I'm fine with fixing things. Patch v4 is OK. Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> > In the end, people are forced to add useless iptables rule to DROP > INVALID packets before entering ipt_CLUSTERIP, after googling or > eventually asking to experts. > > Last time this was discussed, this went nowhere : > > http://www.spinics.net/lists/netfilter/msg48676.html > > Come on guys, we can do it, dont be afraid. > > A non rate limited printk() in kernel is forbidden, especially in > network stack. > > Then, cluster match can be improved, I am sure you already have a patch > for it. what scenario could benefit from the destination-based hashing? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" 2011-01-13 16:30 ` Pablo Neira Ayuso @ 2011-01-13 16:35 ` Pablo Neira Ayuso 2011-01-13 16:48 ` Eric Dumazet 2011-01-18 15:28 ` Patrick McHardy 1 sibling, 1 reply; 15+ messages in thread From: Pablo Neira Ayuso @ 2011-01-13 16:35 UTC (permalink / raw) To: Eric Dumazet Cc: Jan Engelhardt, Netfilter Development Mailinglist, netdev, Patrick McHardy On 13/01/11 17:30, Pablo Neira Ayuso wrote: > On 13/01/11 15:39, Eric Dumazet wrote: >> Then, cluster match can be improved, I am sure you already have a patch >> for it. > > what scenario could benefit from the destination-based hashing? I'm telling this because it doesn't make too sense to me. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" 2011-01-13 16:35 ` Pablo Neira Ayuso @ 2011-01-13 16:48 ` Eric Dumazet 0 siblings, 0 replies; 15+ messages in thread From: Eric Dumazet @ 2011-01-13 16:48 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Jan Engelhardt, Netfilter Development Mailinglist, netdev, Patrick McHardy Le jeudi 13 janvier 2011 à 17:35 +0100, Pablo Neira Ayuso a écrit : > On 13/01/11 17:30, Pablo Neira Ayuso wrote: > > On 13/01/11 15:39, Eric Dumazet wrote: > >> Then, cluster match can be improved, I am sure you already have a patch > >> for it. > > > > what scenario could benefit from the destination-based hashing? > > I'm telling this because it doesn't make too sense to me. Me too ;) But hash(source_IP, source_PORT) definitely make sense in some workloads. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!" 2011-01-13 16:30 ` Pablo Neira Ayuso 2011-01-13 16:35 ` Pablo Neira Ayuso @ 2011-01-18 15:28 ` Patrick McHardy 1 sibling, 0 replies; 15+ messages in thread From: Patrick McHardy @ 2011-01-18 15:28 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Eric Dumazet, Jan Engelhardt, Netfilter Development Mailinglist, netdev On 13.01.2011 17:30, Pablo Neira Ayuso wrote: > On 13/01/11 15:39, Eric Dumazet wrote: > hey hey, I'm fine with fixing things. Patch v4 is OK. > > Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Applied, thanks. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2011-01-18 15:28 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-01-12 21:17 netfilter tree for 2.6.38 is open Pablo Neira Ayuso 2011-01-13 11:13 ` [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" Eric Dumazet 2011-01-13 11:23 ` Pablo Neira Ayuso 2011-01-13 11:28 ` Patrick McHardy 2011-01-13 11:29 ` Pablo Neira Ayuso 2011-01-13 11:36 ` Eric Dumazet 2011-01-13 11:32 ` Eric Dumazet 2011-01-13 11:54 ` Pablo Neira Ayuso 2011-01-13 13:38 ` [PATCH v4] netfilter: ipt_CLUSTERIP: remove " Eric Dumazet 2011-01-13 14:02 ` Jan Engelhardt 2011-01-13 14:39 ` Eric Dumazet 2011-01-13 16:30 ` Pablo Neira Ayuso 2011-01-13 16:35 ` Pablo Neira Ayuso 2011-01-13 16:48 ` Eric Dumazet 2011-01-18 15:28 ` Patrick McHardy
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).