• Julian Anastasov's avatar
    ipvs: drop first packet to redirect conntrack · f94ad404
    Julian Anastasov authored
    commit f719e375 upstream.
    
    Jiri Bohac is reporting for a problem where the attempt
    to reschedule existing connection to another real server
    needs proper redirect for the conntrack used by the IPVS
    connection. For example, when IPVS connection is created
    to NAT-ed real server we alter the reply direction of
    conntrack. If we later decide to select different real
    server we can not alter again the conntrack. And if we
    expire the old connection, the new connection is left
    without conntrack.
    
    So, the only way to redirect both the IPVS connection and
    the Netfilter's conntrack is to drop the SYN packet that
    hits existing connection, to wait for the next jiffie
    to expire the old connection and its conntrack and to rely
    on client's retransmission to create new connection as
    usually.
    
    Jiri Bohac provided a fix that drops all SYNs on rescheduling,
    I extended his patch to do such drops only for connections
    that use conntrack. Here is the original report from Jiri Bohac:
    
    Since commit dc7b3eb9 ("ipvs: Fix reuse connection if real server
    is dead"), new connections to dead servers are redistributed
    immediately to new servers.  The old connection is expired using
    ip_vs_conn_expire_now() which sets the connection timer to expire
    immediately.
    
    However, before the timer callback, ip_vs_conn_expire(), is run
    to clean the connection's conntrack entry, the new redistributed
    connection may already be established and its conntrack removed
    instead.
    
    Fix this by dropping the first packet of the new connection
    instead, like we do when the destination server is not available.
    The timer will have deleted the old conntrack entry long before
    the first packet of the new connection is retransmitted.
    
    Fixes: dc7b3eb9 ("ipvs: Fix reuse connection if real server is dead")
    Signed-off-by: default avatarJiri Bohac <jbohac@suse.cz>
    Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
    Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    f94ad404
ip_vs.h 46.1 KB