;commit" word:
Ref: commit e10d3ba4d434 ("ipvs: Fix checksumming on GSO of SCTP packets")
> Signed-off-by: Ismael Luceno
Looks good to me for nf-next, thanks!
Acked-by: Julian Anastasov
> CC: Pablo Neira Ayuso
> CC: Michal Kubeček
> CC: Simon Horman
> CC: Julian A
/github.com/kubernetes/kubernetes/blob/b722d017a34b300a2284b890448e5a605f21d01e/pkg/proxy/ipvs/proxier.go#L103
> [2]
> Link:
> https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/osl/namespace_linux.go#L682
> [3]
>
> Cc: Julian Anastasov
&
Hello,
On Mon, 6 May 2024, Alexander Mikhalitsyn wrote:
> Cc: Julian Anastasov
> Cc: Simon Horman
> Cc: Pablo Neira Ayuso
> Cc: Jozsef Kadlecsik
> Cc: Florian Westphal
> Suggested-by: Julian Anastasov
> Signed-off-by: Alexander Mikhalitsyn
Looks go
/github.com/kubernetes/kubernetes/blob/b722d017a34b300a2284b890448e5a605f21d01e/pkg/proxy/ipvs/proxier.go#L103
> [2]
> Link:
> https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/osl/namespace_linux.go#L682
> [3]
>
> Cc: Stéphane Graber
> Cc:
when using GSO.
>
> Fixes: 90017accff61 ("sctp: Add GSO support", 2016-06-02)
> Co-developed-by: Firo Yang
> Signed-off-by: Ismael Luceno
> Tested-by: Andreas Taschner
> CC: Michal Kubeček
> CC: Simon Horman
> CC: Julian Anastasov
> CC: lvs-de...@vger.kernel
when using GSO.
>
> Fixes: 90017accff61 ("sctp: Add GSO support", 2016-06-02)
> Co-developed-by: Firo Yang
> Signed-off-by: Ismael Luceno
> Tested-by: Andreas Taschner
> CC: Michal Kubeček
> CC: Simon Horman
> CC: Julian Anastasov
> CC: lvs-de...@vger.kernel
Hello,
On Sun, 21 Apr 2024, Ismael Luceno wrote:
> On 21/Apr/2024 14:01, Julian Anastasov wrote:
>
> > I'm guessing what should be the Fixes line, may be?:
> >
> > Fixes: 90017accff61 ("sctp: Add GSO support")
>
> This seems like t
/github.com/kubernetes/kubernetes/blob/b722d017a34b300a2284b890448e5a605f21d01e/pkg/proxy/ipvs/proxier.go#L103
> [2]
> Link:
> https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/osl/namespace_linux.go#L682
> [3]
>
> Cc: Stéphane Graber
> Cc:
Hello,
On Thu, 18 Apr 2024, Alexander Mikhalitsyn wrote:
> Cc: Julian Anastasov
> Cc: Simon Horman
> Cc: Pablo Neira Ayuso
> Cc: Jozsef Kadlecsik
> Cc: Florian Westphal
> Suggested-by: Julian Anastasov
> Signed-off-by: Alexander Mikhalitsyn
Loo
when using GSO.
>
> Co-developed-by: Firo Yang
> Signed-off-by: Ismael Luceno
> Tested-by: Andreas Taschner
> CC: Michal Kubeček
> CC: Simon Horman
> CC: Julian Anastasov
> CC: lvs-de...@vger.kernel.org
> CC: netfilter-de...@vger.kernel.org
> CC: net...
Hello,
On Thu, 18 Apr 2024, Alexander Mikhalitsyn wrote:
> Cc: Julian Anastasov
> Cc: Simon Horman
> Cc: Pablo Neira Ayuso
> Cc: Jozsef Kadlecsik
> Cc: Florian Westphal
> Suggested-by: Julian Anastasov
> Signed-off-by: Alexander Mikhalitsyn
> -
> https://github.com/kubernetes/kubernetes/blob/b722d017a34b300a2284b890448e5a605f21d01e/pkg/proxy/ipvs/proxier.go#L103
>
> Cc: Stéphane Graber
> Cc: Christian Brauner
> Cc: Julian Anastasov
> Cc: Simon Horman
> Cc: Pablo Neira Ayuso
> Cc: Jozsef Kadlecsik
> Cc: Flori
== NULL) {
> IP_VS_DBG(1, "%s(): no memory\n", __func__);
> ret = -ENOMEM;
> @@ -4139,98 +4139,98 @@ static const struct genl_small_ops ip_vs_genl_ops[] =
> {
> {
> .cmd= IPVS_CMD_NEW_SERVICE,
> .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> - .flags = GENL_ADMIN_PERM,
> + .flags = GENL_UNS_ADMIN_PERM,
> .doit = ip_vs_genl_set_cmd,
...
Regards
--
Julian Anastasov
cation Center (linuxtesting.org).
>
> Fixes: 8d8e20e2d7bb ("ipvs: Decrement ttl")
> Signed-off-by: Fedor Pchelkin
Looks good to me, thanks!
Acked-by: Julian Anastasov
> ---
> net/netfilter/ipvs/ip_vs_xmit.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletion
and as conn can start in established state, we should
avoid touching these counters. For UDP ONE_PACKET has no such problem
with states but for TCP/SCTP we should take care.
Regards
--
Julian Anastasov
IP_VS_DBG(6,
> + "MHS: %s(): Unstable, need_state=%s,
> SYN packet\n",
> + __func__,
> + *need_state ? "true" : "false");
> + } else {
> + /* Not SYN packet */
> + final_dest = dests.dest;
> + IP_VS_DBG(6,
> + "MHS: %s(): Unstable, need_state=%s,
> not SYN packet\n",
> + __func__,
> + *need_state ? "true" : "false");
> + }
> + } else if (iph->protocol == IPPROTO_UDP) {
> + /* UDP */
> + final_dest = dests.new_dest;
> + IP_VS_DBG(6,
> + "MHS: %s(): Unstable, need_state=%s, UDP
> packet\n",
> + __func__,
> + *need_state ? "true" : "false");
> + }
> + } else {
> + /* stable */
> + final_dest = dests.dest;
> + IP_VS_DBG(6,
> + "MHS: %s(): Stable, need_state=%s\n",
> + __func__,
> + *need_state ? "true" : "false");
> + }
> + return final_dest;
> +}
> +
> +/* IPVS MHS Scheduler structure */
> +static struct ip_vs_scheduler ip_vs_mhs_scheduler = {
> + .name ="mhs",
> + .refcnt =ATOMIC_INIT(0),
> + .module =THIS_MODULE,
> + .n_list =LIST_HEAD_INIT(ip_vs_mhs_scheduler.n_list),
> + .init_service =ip_vs_mhs_init_svc,
> + .done_service =ip_vs_mhs_done_svc,
> + .add_dest =ip_vs_mhs_dest_changed,
> + .del_dest =ip_vs_mhs_dest_changed,
> + .upd_dest =ip_vs_mhs_dest_changed,
> + .schedule_sl =ip_vs_mhs_schedule,
> +};
> +
> +static int __init
> +ip_vs_mhs_init(void)
> +{
> + return register_ip_vs_scheduler(&ip_vs_mhs_scheduler);
> +}
> +
> +static void __exit
> +ip_vs_mhs_cleanup(void)
> +{
> + unregister_ip_vs_scheduler(&ip_vs_mhs_scheduler);
> + rcu_barrier();
> +}
> +
> +module_init(ip_vs_mhs_init);
> +module_exit(ip_vs_mhs_cleanup);
> +MODULE_DESCRIPTION("Stateless Maglev hashing ipvs scheduler");
> +MODULE_LICENSE("GPL");
> +MODULE_AUTHOR("Lev Pantiukhin ");
> diff --git a/net/netfilter/ipvs/ip_vs_proto_tcp.c
> b/net/netfilter/ipvs/ip_vs_proto_tcp.c
> index 7da51390cea6..31a8c1bfc863 100644
> --- a/net/netfilter/ipvs/ip_vs_proto_tcp.c
> +++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c
> @@ -38,7 +38,7 @@ tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct
> sk_buff *skb,
> struct ip_vs_iphdr *iph)
> {
> struct ip_vs_service *svc;
> - struct tcphdr _tcph, *th;
> + struct tcphdr _tcph, *th = NULL;
> __be16 _ports[2], *ports = NULL;
>
> /* In the event of icmp, we're only guaranteed to have the first 8
> @@ -47,11 +47,8 @@ tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct
> sk_buff *skb,
>*/
> if (likely(!ip_vs_iph_icmp(iph))) {
> th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph);
> - if (th) {
> - if (th->rst || !(sysctl_sloppy_tcp(ipvs) || th->syn))
> - return 1;
> + if (th)
> ports = &th->source;
> - }
> } else {
> ports = skb_header_pointer(
> skb, iph->len, sizeof(_ports), &_ports);
> @@ -74,6 +71,17 @@ tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct
> sk_buff *skb,
> if (svc) {
> int ignored;
>
> + if (th) {
> + /* If sloppy_tcp or IP_VS_SVC_F_STATELESS is true,
> + * all SYN packets are scheduled except packets
> + * with set RST flag.
> + */
> + if (!sysctl_sloppy_tcp(ipvs) &&
> + !(svc->flags & IP_VS_SVC_F_STATELESS) &&
> + (!th->syn || th->rst))
> + return 1;
> + }
Probably same can be done for sctp_conn_schedule()
> +
> if (ip_vs_todrop(ipvs)) {
> /*
>* It seems that we are very loaded.
> --
> 2.17.1
Regards
--
Julian Anastasov
ate_net* return NULL
> when PROC is not used.
>
> Fixes: b17fc9963f83 ("IPVS: netns, ip_vs_stats and its procfs")
> Fixes: 61b1ab4583e2 ("IPVS: netns, add basic init per netns.")
> Reported-by: Hulk Robot
> Signed-off-by: Wang Hai
uot;ip_vs_stats_percpu", ipvs->net->proc_net);
err_percpu:
> + remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
err_stats:
> + remove_proc_entry("ip_vs", ipvs->net->proc_net);
err_vs:
#endif
> free_percpu(ipvs->tot_stats.cpustats);
> return -ENOMEM;
> }
> --
Regards
--
Julian Anastasov
Hello,
On Mon, 16 Nov 2020, Yejune Deng wrote:
> atomic_inc_return() looks better
>
> Signed-off-by: Yejune Deng
Looks good to me for -next, thanks!
Acked-by: Julian Anastasov
> ---
> net/netfilter/ipvs/ip_vs_core.c | 2 +-
> net/netfilter/ipvs/ip_vs_sy
ests(): #ifdef can be before declarations,
try to use long-to-short lines (reverse xmas tree order
for variables in declarations)
- print_service_entry(): no need to check d before free(d),
free() checks it itself, just like kfree() in kernel.
- ipvs_services_dests_parse_cb: we should stop if realloc() fails,
sadly, existing code does not check realloc() result but
for new code we should do it
- ipvs_get_services_dests(): kernel avoids using assignments in
'if' condition, we do the same for new code. You have to
split such code to assignment+condition.
- there are extra parentheses in code such as sizeof(*(get->index)),
that should be fine instead: sizeof(*get->index), same for
sizeof(get->index[0]). Extra parens also for &(get->dests),
etc.
- as new code runs only for LIBIPVS_USE_NL, check if it is wrapped
in proper #ifdef in libipvs/libipvs.c. Make sure
ipvsadm compiles without LIBIPVS_USE_NL.
- the extern word should not be used in .h files anymore
Some of the above styling issues are also reported by
linux# scripts/checkpatch.pl --strict /tmp/ipvsadm.patch
As we try to apply to ipvsadm the same styling rules
that are used for networking in kernel, you should be able
to fix all such places with help from checkpatch.pl. Probably,
you know about this file:
Documentation/process/coding-style.rst
Regards
--
Julian Anastasov
) {
> + if (ip_vs_genl_dump_service_dests(skb, cb, ipvs,
> + svc, &ctx))
> + goto nla_put_failure;
> + }
> + ctx.idx_svc = 0;
> + ctx.start_svc = 0;
ctx->idx_dest = 0;
ctx->start_dest = 0;
> + }
row = 0;# Not needed
tab++; $ tab = 2 to indicate EOF
> +
> +nla_put_failure:
> + cb->args[0] = ctx.idx_svc;
> + cb->args[1] = ctx.idx_dest;
> + cb->args[2] = tab;
> + cb->args[3] = row;
> +
> +out_err:
> + mutex_unlock(&__ip_vs_mutex);
> +
> + return skb->len;
> +}
> +
> static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
>struct nlattr *nla, bool full_entry)
> {
> @@ -3991,6 +4143,12 @@ static const struct genl_small_ops ip_vs_genl_ops[] = {
> .flags = GENL_ADMIN_PERM,
> .doit = ip_vs_genl_set_cmd,
> },
> + {
> + .cmd= IPVS_CMD_GET_SERVICE_DEST,
> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> + .flags = GENL_ADMIN_PERM,
> + .dumpit = ip_vs_genl_dump_services_destinations,
> + },
> };
>
> static struct genl_family ip_vs_genl_family __ro_after_init = {
> --
> 2.25.1
Regards
--
Julian Anastasov
is behavior while writing this patch and even
> created a few crude validation scripts running parallel agents and
> checking the diff in [1].
Ok, make sure your tests cover cases with multiple
dests, so that single service occupies multiple packets,
I'm not sure if 100 dests fit in one packet or not.
Regards
--
Julian Anastasov
+
> static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
>struct nlattr *nla, bool full_entry)
> {
> @@ -3991,6 +4094,12 @@ static const struct genl_small_ops ip_vs_genl_ops[] = {
> .flags = GENL_ADMIN_PERM,
> .doit = ip_vs_genl_set_cmd,
> },
> + {
> + .cmd= IPVS_CMD_GET_SERVICE_DEST,
> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> + .flags = GENL_ADMIN_PERM,
> + .dumpit = ip_vs_genl_dump_services_destinations,
> + },
> };
>
> static struct genl_family ip_vs_genl_family __ro_after_init = {
> --
Regards
--
Julian Anastasov
Hello,
On Mon, 28 Sep 2020, longguang.yue wrote:
> Outputting client,virtual,dst addresses info when tcp state changes,
> which makes the connection debug more clear
>
> Signed-off-by: longguang.yue
OK, v5 can be used instead of fixing v4.
Acked-by: Juli
Hello,
On Sun, 27 Sep 2020, longguang.yue wrote:
> outputting client,virtual,dst addresses info when tcp state changes,
> which makes the connection debug more clear
>
> Signed-off-by: longguang.yue
Looks good to me, thanks!
Acked-by: Juli
7 ("ipvs: Fix faulty IPv6 extension header handling in
> IPVS").
> Signed-off-by: Yaroslav Bolyukin
Looks good to me, thanks! May be maintainers will
remove the extra dot after the Fixes line.
Acked-by: Julian Anastasov
> ---
> Missed canonical patch format sectio
IP_VS
> config IP_VS_IPV6
> bool "IPv6 support for IPVS"
> depends on IPV6 = y || IP_VS = IPV6
> - select IP6_NF_IPTABLES
> select NF_DEFRAG_IPV6
> help
> Add IPv6 support to IPVS.
> --
Regards
--
Julian Anastasov
PV6
> - select IP6_NF_IPTABLES
> select NF_DEFRAG_IPV6
> help
> Add IPv6 support to IPVS.
> --
> 2.28.0
Regards
--
Julian Anastasov
appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
> Suggested-by: Julian Anastasov
> Signed-off-by: Peilin Ye
Looks good to me, thanks!
Acked-by: Julian Anastasov
> ---
> Changes in v2:
> - Target net-next tree. (Suggested by Julian Anastasov )
> - Reject all `len == 0` requests
ID(cmd)]);
> @@ -2547,9 +2549,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user
> *user, unsigned int len)
> break;
> case IP_VS_SO_SET_DELDEST:
> ret = ip_vs_del_dest(svc, &udest);
> - break;
> - default:
> - ret = -EINVAL;
> }
>
>out_unlock:
Regards
--
Julian Anastasov
nt ip_vs_in_icmp_v6(struct netns_ipvs *ipvs,
> struct sk_buff *skb,
> }
>
> if (resched) {
> + if (uses_ct)
> + cp->flags &= ~IP_VS_CONN_F_NFCT;
> if (!atomic_read
ead of
> "then the client program".
> Or a more detailed explanation.
Yes, if the packet is SYN we can create new connection.
If it is ACK, the retransmission will get RST.
Regards
--
Julian Anastasov
nnection with unavailable dest,
as before
- create new connection to available destination that will be found
first in lists. But it can work only when sysctl var "conntrack" is 0,
we do not want to create two netfilter conntracks to different
real servers.
Note that we intentionally removed the timer_pending() check
because we can not see existing ONE_PACKET connections in table.
Regards
--
Julian Anastasov
/* try to expire the connection immediately */
> ip_vs_conn_expire_now(cp);
> }
You can also look at the discussion which resulted in
the last patch for this place:
http://archive.linuxvirtualserver.org/html/lvs-devel/2018-07/msg00014.html
Regards
--
Julian Anastasov
.
> # ipvs.sh: PASS
> ok 6 selftests: netfilter: ipvs.sh
>
> Haishuang Yan (3):
> selftests: netfilter: add ipvs test script
> selftests: netfilter: add ipvs nat test case
> selftests: netfilter: add ipvs tunnel test case
Acked-by: Julian Anastasov
> t
| 2 +-
> tools/testing/selftests/netfilter/ipvs.sh | 234
> +
> 2 files changed, 235 insertions(+), 1 deletion(-)
> create mode 100755 tools/testing/selftests/netfilter/ipvs.sh
Patchset v2 looks good to me, thanks!
Acked-by: Julian Anastasov
Regards
--
Julian Anastasov
ip_vs_ctl.c | 12 ++++---
> 3 files changed, 38 insertions(+), 23 deletions(-)
Both patches in v2 look good to me, thanks!
Acked-by: Julian Anastasov
This is for the -next kernels...
Regards
--
Julian Anastasov
,12 @@ run_tests() {
> test_nat
> errors=$(( $errors + $? ))
>
> + echo "Testing Tunnel mode..."
> + cleanup
> + setup
> + test_tun
> + errors=$(( $errors + $? ))
> +
> return $errors
> }
>
> --
> 1.8.3.1
Regards
--
Julian Anastasov
ip_vs_conn_net_cleanup(ipvs);
> >> + ip_vs_app_net_cleanup(ipvs);
> >> + ip_vs_protocol_net_cleanup(ipvs);
> >> + ip_vs_control_net_cleanup(ipvs);
> >> + ip_vs_estimator_net_cleanup(ipvs);
> >> + IP_VS_DBG(2, "ipvs netns %d released\n", ipvs->gen);
> >> + net->ipvs = NULL;
Regards
--
Julian Anastasov
, &end) != 1)
> return 1;
>
> - IP_VS_DBG_BUF(7, "EPSV response (%s:%u) -> %s:%u detected\n",
> - IP_VS_DBG_ADDR(cp->af, &from), ntohs(port),
> - IP_VS_DBG_ADDR(cp->af, &cp->caddr), 0);
> + IP_VS_DBG(7, "EPSV response (%pISpc) -> %pISc detected\n",
> + IP_VS_DBG_SOCKADDR(cp->af, &from, port),
> + IP_VS_DBG_SOCKADDR(cp->af, &cp->caddr, 0));
> } else {
> return 1;
> }
> @@ -510,15 +510,15 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct
> ip_vs_conn *cp,
> &to, &port, cp->af,
> &start, &end) == 1) {
>
> - IP_VS_DBG_BUF(7, "EPRT %s:%u detected\n",
> - IP_VS_DBG_ADDR(cp->af, &to), ntohs(port));
> + IP_VS_DBG(7, "EPRT %pISpc detected\n",
> + IP_VS_DBG_SOCKADDR(cp->af, &to, port));
>
> /* Now update or create a connection entry for it */
> - IP_VS_DBG_BUF(7, "protocol %s %s:%u %s:%u\n",
> - ip_vs_proto_name(ipvsh->protocol),
> - IP_VS_DBG_ADDR(cp->af, &to), ntohs(port),
> - IP_VS_DBG_ADDR(cp->af, &cp->vaddr),
> - ntohs(cp->vport)-1);
> + IP_VS_DBG(7, "protocol %s %pISpc %pISpc\n",
> + ip_vs_proto_name(ipvsh->protocol),
> + IP_VS_DBG_SOCKADDR(cp->af, &to, port),
> + IP_VS_DBG_SOCKADDR(cp->af, &cp->vaddr,
> + htons(ntohs(cp->vport)-1)));
> } else {
> return 1;
> }
> --
> 2.20.0
Regards
--
Julian Anastasov
tocol_net_cleanup(ipvs);
> + ip_vs_control_net_cleanup(ipvs);
> + ip_vs_estimator_net_cleanup(ipvs);
> + IP_VS_DBG(2, "ipvs netns %d released\n", ipvs->gen);
> + net->ipvs = NULL;
> + }
> }
Regards
--
Julian Anastasov
isn’t known
> struct gre_base_hdr _greh, *greh;
> ^
Regards
--
Julian Anastasov
IP_VS_DBG_ADDR(cp->af, &cp->vaddr),
> - ntohs(cp->vport));
> + pr_err("request control DEL for uncontrolled: "
> +"%pISp to %pISp\n",
ip_vs_dbg_addr() used compact form (%pI6c), so it would be
better to use %pISc and %pISpc everywhere in IPVS...
Also, note that before now port was printed with %d and
ntohs() was used, now port should be in network order, so:
- ntohs() should be removed
- htons() should be added, if missing. At first look, this case
is not present in IPVS, we have only ntohs() usage
Regards
--
Julian Anastasov
group_kthread_ready();
> __kthread_parkme(self);
> ret = threadfn(data);
> }
>
> So, apparently the thread parameters must always be owned by the owner of the
> kthread, not by the kthread itself. It seems like this would be a common
> mistake in kernel code; I'm surprised this doesn't come up more...
Thanks! It explains the problem. It was not obvious from the
fact that only tinfo was reported as a leak, nothing for tinfo->sock.
Moving sock_release to owner complicates the locking but
I'll try to fix it in the following days...
Regards
--
Julian Anastasov
nf_register_net_hooks() is called there.
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkal...@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Regards
--
Julian Anastasov
Signed-off-by: Jacky Hu
Looks good to me, thanks!
Signed-off-by: Julian Anastasov
> ---
> v4->v3:
> 1) defer pd assignment after data += GUE_LEN_PRIV
>
> v3->v2:
> 1) fixed CHECK: spaces preferred around that '<<' (ctx:VxV)
>
> v2
skb->ip_summed = CHECKSUM_NONE;
> + skb->encapsulation = 0;
> + }
> +
> + *flags |= GUE_PFLAG_REMCSUM;
> + data += GUE_PLEN_REMCSUM;
> + }
> +
Regards
--
Julian Anastasov
;<1)
scripts/checkpatch.pl --strict file.patch
reports for some issues you should resolve for v3.
Otherwise, the patch looks good to me.
Regards
--
Julian Anastasov
max_headroom,
>&next_protocol, &payload_len,
> @@ -1208,8 +1297,17 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct
> ip_vs_conn *cp,
> goto tx_error;
>
> gso_type = __tun_gso_type_mask(AF_INET6, cp->af);
> - if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE)
> - gso_type |= SKB_GSO_UDP_TUNNEL;
> + if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
> + if ((tun_flags & IP_VS_TUNNEL_ENCAP_FLAG_CSUM) ||
> + (tun_flags & IP_VS_TUNNEL_ENCAP_FLAG_REMCSUM))
> + gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
> + else
> + gso_type |= SKB_GSO_UDP_TUNNEL;
> + if ((tun_flags & IP_VS_TUNNEL_ENCAP_FLAG_REMCSUM) &&
> + skb->ip_summed == CHECKSUM_PARTIAL) {
> + gso_type |= SKB_GSO_TUNNEL_REMCSUM;
> + }
> + }
>
> if (iptunnel_handle_offloads(skb, gso_type))
> goto tx_error;
> @@ -1218,8 +1316,18 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct
> ip_vs_conn *cp,
>
> skb_set_inner_ipproto(skb, next_protocol);
>
> - if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE)
> - ipvs_gue_encap(net, skb, cp, &next_protocol);
> + if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
> + bool check = false;
> +
> + if (ipvs_gue_encap(net, skb, cp, &next_protocol))
> + goto tx_error;
> +
> + if ((tun_flags & IP_VS_TUNNEL_ENCAP_FLAG_CSUM) ||
> + (tun_flags & IP_VS_TUNNEL_ENCAP_FLAG_REMCSUM))
> + check = true;
> +
> + udp6_set_csum(!check, skb, &saddr, &cp->daddr.in6, skb->len);
> + }
>
> skb_push(skb, sizeof(struct ipv6hdr));
> skb_reset_network_header(skb);
> --
> 2.21.0
Regards
--
Julian Anastasov
>
> This patch moves nf_unregister_net_hooks from __ip_vs_cleanup()
> to __ip_vs_dev_cleanup(), where rcu_barrier() is called by
> unregister_pernet_device -> unregister_pernet_operations,
> that will do the needed grace period.
>
> Reported-by: Hulk Robot
> Fixes: e
to tx_error;
>
> - if (iptunnel_handle_offloads(skb, __tun_gso_type_mask(AF_INET6,
> cp->af)))
> + if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE)
> + gso_type = SKB_GSO_UDP_TUNNEL;
> + else
> + gso_type = __tun_gso_type_mask(AF_INET6, cp->af);
Here too
> + if (iptunnel_handle_offloads(skb, gso_type))
> goto tx_error;
Regards
--
Julian Anastasov
gt;
> Fix this by checking whether the timer already started.
>
> Signed-off-by: Tan Hu
> Reviewed-by: Jiang Biao
v3 looks good to me,
Acked-by: Julian Anastasov
Simon and Pablo, this can be applied to ipvs/nf tree...
> ---
> v2: fix use-after-free in CONN_ONE_PAC
x this by checking whether the timer already started.
>
> Signed-off-by: Tan Hu
> Reviewed-by: Jiang Biao
> ---
> v2: fix use-after-free in CONN_ONE_PACKET case suggested by Julian Anastasov
>
> net/netfilter/ipvs/ip_vs_core.c | 15 +++
> 1 file changed
: 0001
> Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb de
> 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90 90 90
> 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
> RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 8801c976f800
> ---[ end trace 624046f2d9af7702 ]---
Just to let you know that I tested a patch with
the syzbot, will do more tests before submitting...
Regards
--
Julian Anastasov
t_sync_thread should be resolved soon...
> > IPVS: sync thread started: state = BACKUP, mcast_ifn = lo, syncid = 0, id =
> > 0
> > IPVS: stopping backup sync thread 4546 ...
> >
> >
> > IPVS: stopping backup sync thread 4559 ...
> > WARNING: possible recursive locking detected
Regards
--
Julian Anastasov
d.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
> Sending NMI from CPU 1 to CPUs 0:
> NMI backtrace for cpu 0 skipped: idling at native_safe_halt+0x6/0x10
> arch/x86/include/asm/irqflags.h:54
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkal...@googlegroups.com.
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug report.
> Note: all commands must start from beginning of the line in the email body.
Regards
--
Julian Anastasov
ool copy)
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index 2465607..e140ba4 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -4864,6 +4864,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
> if (!xnet)
> return;
>
> + ipvs_reset(skb);
> skb_orphan(skb);
> skb->mark = 0;
> }
> --
> 1.7.12.4
Regards
--
Julian Anastasov
; Cc: Simon Horman
> Cc: Julian Anastasov
> Cc: Pablo Neira Ayuso
> Cc: Jozsef Kadlecsik
> Cc: Florian Westphal
> Cc: "David S. Miller"
> Cc: net...@vger.kernel.org
> Cc: lvs-de...@vger.kernel.org
> Cc: netfilter-de...@vger.kernel.org
> Cc: coret...@netfilter
size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP 0A010102:0050 wlc
>
> Signed-off-by: KUWAZAWA Takuya
Looks good to me
Acked-by: Julian Anastasov
Simon, please apply to ipvs tree.
>
of the ip_vs_conn structure. This works because
> the layout is identical, but seems error-prone, so I'm changing
> this in the process to directly copy the two members. This change
> seemed to have no effect on the object code or the warning, but
> it deals with the same data, so I
> be redundant, so remove it.
>
> This change may increase probe traffic, but it's essential since NUD_STALE
> lladdr is unreliable. To ensure correctness, we prefer to resolve lladdr,
> when we can't get confirmation, even while remote packets try to set
> NUD_STALE st
state. If your patch is accepted, I'll post second patch that
adds the line with the ADMIN check. As result, the code will
look like the example from Yoshifuji Hideaki above.
Regards
--
Julian Anastasov
from ARP reply.
See above, received broadcast GARP reply can set
NUD_STALE. But the most trivial case of GW exposing its
IP while looking for other hosts should be the culprit.
It probably happens often, that is why we have no chance
to send ARP requests, GW is more ARP-active than us and
updates our cache and we are happy.
Regards
--
Julian Anastasov
Hello,
On Sat, 23 Jul 2016, Chunhui He wrote:
> On Sat, 23 Jul 2016 09:17:59 +0300 (EEST), Julian Anastasov
> wrote:
> >
> > What kind of problem is this? Remote host wants to
> > see a recent probe from us, otherwise it refuses to resolve
> > our ad
from us
and we may cycle between NUD_STALE and NUD_DELAY if
such remote packets come more often.
So, the question is, to avoid probes or to refresh
frequently? Is there a good reason to ignore this NUD_STALE
event in NUD_DELAY | NUD_PROBE state?
> NUD_STALE --> NUD_DELAY -(send req again)-> ... -->
> NUD_REACHABLE
Regards
--
Julian Anastasov
o out;
} else {
if (lladdr == neigh->ha && new == NUD_STALE &&
- ((flags & NEIGH_UPDATE_F_WEAK_OVERRIDE) ||
-(old & NUD_CONNECTED))
- )
-
sock = make_send_sock(ipvs, id);
> else
> - sock = make_receive_sock(ipvs, id);
> + sock = make_receive_sock(ipvs, id, dev->ifindex);
> if (IS_ERR(sock)) {
> result = PTR_ERR(sock);
> goto outtinfo;
> --
> 1.7.7.6
Regards
--
Julian Anastasov
t;
> v2 fixes a compile error in a debug message identified by kbuild test
> robot. Now compiles with CONFIG_IP_VS_DEBUG enabled. Patch 2/5 is modified
> to correct the problem, and patch 3/5 is modifed to apply with the
> modified patch 2/5.
>
> v3 incorporates changes suggested b
tinfo->id, ipvs->mcfg.sync_maxlen);
<--- 2 TABs --->
But it should be:
pr_info("sync thread started: state = MASTER, mcast_ifn = %s, "
"syncid = %d, id = %d, maxlen = %d\n",
ipvs->mcfg.mcast_ifn, ipvs->mcfg.syncid,
tinfo->id, ipvs->mcfg.sync_maxlen);
< 1 TAB>
Also, the new pr_info calls exceed 80 columns.
May be you can reduce the many spaces.
Regards
--
Julian Anastasov
ave coding style warnings from checkpatch
that can be fixed, you can check them in this way:
scripts/checkpatch.pl --strict /tmp/file.patch
Regards
--
Julian Anastasov
l counted as "inactive", i.e. cheap ones. The become
> "active" quickly but at that time, all of them are already assigned to one
> real server (or few), resulting in highly unbalanced distribution.
>
> Address this by counting the "pre-established" state
atomic_inc(&dest->inactconns);
> cp->flags |= IP_VS_CONN_F_INACTIVE;
> } else if ((cp->flags & IP_VS_CONN_F_INACTIVE) &&
> - (new_state == IP_VS_TCP_S_ESTABLISHED)) {
> +tcp_state_active(new_state)) {
> atomic_inc(&dest->activeconns);
> atomic_dec(&dest->inactconns);
> cp->flags &= ~IP_VS_CONN_F_INACTIVE;
> --
> 2.8.3
Regards
--
Julian Anastasov
-off-by: Arnd Bergmann
> Fixes: b0e010c527de ("ipvs: replace ip_vs_fill_ip4hdr with
> ip_vs_fill_iph_skb_off")
Looks ok to me,
Acked-by: Julian Anastasov
but see below...
> ---
> net/netfilter/ipvs/ip_vs_pe_sip.c | 4 ++--
> 1 file changed, 2 insertions(
ree. I guess, Simon should drop it and
use this one instead when net-next opens:
Acked-by: Julian Anastasov
> ---
> net/netfilter/ipvs/ip_vs_app.c | 8 ++--
> net/netfilter/ipvs/ip_vs_ctl.c | 15 ++-
> 2 files changed, 8 insertions(+), 15 deletions(-)
>
>
the cache.
Patch looks ok to me but I'm not sure if we should
worry for the unicast traffic. If we want frequent
updates only for loopback then the check could be:
if (rt_cache_valid(rth) &&
(!(flags & RTCF_LOCAL) || rth->rt_iif == orig_oif)) {
Or the fo
two. So now I'm a little unsure about my initial conclusions.
> >
> > On 29. sep. 2015 09:40, Julian Anastasov wrote:
> >> On Tue, 29 Sep 2015, Andre Tomt (LKML) wrote:
>
> >>They are 2 related patches, the first one is
> >> [PATCH 4.1 124/159]
Hello,
On Tue, 29 Sep 2015, Andre Tomt (LKML) wrote:
> On 26. sep. 2015 22:56, Greg Kroah-Hartman wrote:
> > 4.1-stable review patch. If anyone has any objections, please let me know.
> >
> > --
> >
> > From: Julian Ana
to use other locking too. ip_vs_wlc.c scheduler
is example where sched_lock is not used because only
svc->destinations is accessed which is protected with RCU
by definition. You can check __ip_vs_unlink_dest() how
dest is unlinked with list_del_rcu() before sched->del_dest
method is called.
Re
o protect only access to svc->sched_data
fields.
It seems the comment is outdated after
commit ceec4c381681 ("ipvs: convert services to rcu").
Regards
--
Julian Anastasov
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a me
set_current_state(state);
/* test_bit after memory barrier */
if (kthread_should_stop())
return timeout;
return schedule_timeout(timeout);
}
Regards
--
Julian Anastasov
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
__ret = timeout; \
> + might_sleep(); \
> + if (!___wait_cond_timeout(condition)) \
> + ret = __wait_event_idle_timeout(wq, condition, timeout);\
ret may need unde
d state "B"=2048,
with 2 TASK_NOLOAD variants: N(idle) and B(blocked,
2|1024|2048, eg. for read-blocked or write-blocked).
It will need additional argument 'state'/'blocked' for
*wait_event_idle().
Regards
--
Julian Anastasov
--
Hello,
On Fri, 23 Jan 2015, Julian Anastasov wrote:
> On Tue, 20 Jan 2015, Chris Caputo wrote:
>
> > My application consists of incoming TCP streams being load balanced to
> > servers which receive the feeds. These are long lived multi-gigabyte
> > strea
> @@ -390,8 +390,8 @@ struct ip_vs_estimator {
> u32 cps;
> u32 inpps;
> u32 outpps;
> - u32 inbps;
> - u32 outbps;
> + u64 inbps;
> + u6
Hello,
On Tue, 20 Jan 2015, Chris Caputo wrote:
> On Tue, 20 Jan 2015, Julian Anastasov wrote:
> > > + (u64)dr * (u64)lwgt < (u64)lr * (u64)dwgt ||
> [...]
> > > +(dr == lr && dwgt > lwgt)) {
> &g
lr = dr;
> + lwgt = dwgt;
> + svc->sched_data = q;
Better to update sched_data at final, see below...
> + }
> + }
> + q = list_next_rcu(q);
> + } while (q != p);
i
patches to stable@ so that I can apply them?
I asked Pablo for the old fix for IPVS-FTP:
http://www.spinics.net/lists/lvs-devel/msg03879.html
The new fix for the xfrm crash is not applied yet:
http://www.spinics.net/lists/lvs-devel/msg03877.html
Regards
--
Julian Anastasov
tinue for the FTP problem on IPVS lists without
> > bothering non-IPVS people.
> >
>
> yeah, it seems that the xfrm issue is away.
Thanks for the confirmation!
Regards
--
Julian Anastasov
--
To unsubscribe from this list: send the line "unsubscribe lin
ches?
You can also try without FTP tests to see if there
are oopses in xfrm, so that we can close this topic and then
to continue for the FTP problem on IPVS lists without
bothering non-IPVS people.
Regards
--
Julian Anastasov
--
To unsubscribe from this list: send the line "unsubs
Hello,
On Mon, 8 Dec 2014, Smart Weblications GmbH - Florian Wiessner wrote:
> Am 07.12.2014 19:27, schrieb Julian Anastasov:>
> >
> > I'm attaching a patch that avoids rerouting in
> > IPVS for LOCAL_IN. Please test it in your setup. My tests
> >
h NAT on today's net tree. I checked that it
compiles for 3.12.33. You can use the default snat_reroute=1.
Regards
--
Julian Anastasov From 4fc493f8f1ed967b1e3dd6d330a25bad762516d7 Mon Sep 17 00:00:00 2001
From: Julian Anastasov
Date: Sun, 7 Dec 2014 18:13:24 +0200
Subject: [PATCH net] ipvs:
provides different IP.
IIRC, IPVS does not mangle PORT command, vsftpd expects to
connect to the same client IP. There is config option you can
try to set (port_promiscuous), only while testing.
> [14:47:45] [R] List Fehler
> [14:48:14] [R] QUIT
> [14:48:14] [R] 221 Goodbye.
> [14:48:14] [R] Ausgeloggt: 192.168.10.62
Regards
--
Julian Anastasov
ewer kernels than 3.12, because ocfs2 is
> somehow broken in >= 3.14
Before I create patch to avoid rerouting for
LOCAL_IN you can try to set IPVS sysctl var "snat_reroute" to 0
or even to change ip_vs_route_me_harder() function just to return 0.
snat_reroute=1 (a default value)
t;).
This is only to explain above stack. Not sure
if problem is related somehow to early demux but such
commits look interesting:
- commit 6b8dbcf2c44fd7a ("bridge: netfilter: orphan skb before invoking
ip netfilter hooks")
Also, it would be good to know which 3.x ker
is
> not needed.
>
> This issue was detected by using the Coccinelle software.
>
> Signed-off-by: Markus Elfring
Pablo, the IPVS parts look ok to me,
Acked-by: Julian Anastasov
> ---
> net/netfilter/ipvs/ip_vs_ctl.c | 3 +--
> net/netfilter/ipvs/ip_vs_pe.c| 3
Hello,
On Fri, 7 Nov 2014, Calvin Owens wrote:
> On 11/05/2014 01:21 AM, Julian Anastasov wrote:
> >
> > Hello,
> >
> > On Tue, 4 Nov 2014, Calvin Owens wrote:
> >
> > > ip_vs_prepare_tunneled_skb() ignores ->sk when allocating a new
>
ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int
> skb_af,
> new_skb = skb_realloc_headroom(skb, max_headroom);
> if (!new_skb)
> goto error;
> + if (skb->sk)
> + skb_set_owner_w(new_skb, skb->sk);
&
gt; we get to nf_nat_net_exit so it doesn't look the synchronize_rcu
> in nf_nat_exit is actually protecting anything.
It is true for cleanup_net. I don't remember, can we
see packets while the particular module-exit calls
unregister_pernet_subsys(), may be yes?
Regards
--
Jul
gt; [] process_one_work+0x157/0x440
> [] worker_thread+0x63/0x520
> [] kthread+0xd6/0xf0
> [] ret_from_fork+0x7c/0xb0
> [] 0xffff
Regards
--
Julian Anastasov
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to maj
other restrictions.
Regards
--
Julian Anastasov
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
1 - 100 of 181 matches
Mail list logo