Simon Horman a écrit :
> From: Julius Volz <julius.volz@xxxxxxxxx>
>
> IPVS: Add handling of incoming ICMPV6_PKT_TOOBIG messages
>
> Add handling of incoming ICMPv6 Packet Too Big messages. This message
> is received when a realserver sends a packet >PMTU to the client. The
> hop on this path with insufficient MTU will generate an ICMPv6 Packet
> Too Big message back to the VIP. The LVS server receives this message,
> but the call to the function handling this has been missing. Thus, IPVS
> fails to forward the message to the real server, which then does not
> adjust the path MTU. This patch adds the missing call to
> ip_vs_in_icmp_v6() in ip_vs_in() to handle this situation.
>
> Thanks to Rob Gallagher from HEAnet for reporting this issue and for
> testing this patch in production (with direct routing mode).
>
> Signed-off-by: Julius Volz <julius.volz@xxxxxxxxx>
> Tested-by: Rob Gallagher <robert.gallagher@xxxxxxxxx>
> Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>
>
> ---
> net/netfilter/ipvs/ip_vs_core.c | 23 +++++++++++++++++------
> 1 files changed, 17 insertions(+), 6 deletions(-)
>
> Dave, please consider applying this change.
>
> I'm ok with it not going into 2.6.31 as I don't think that
> many people are affected by this problem.
>
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index 8dddb17..5750800 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -1274,13 +1274,24 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
> return NF_ACCEPT;
> }
>
> - if (unlikely(iph.protocol == IPPROTO_ICMP)) {
> - int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
> +#ifdef CONFIG_IP_VS_IPV6
> + if (af == AF_INET6) {
> + if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
> + int related, verdict = ip_vs_in_icmp_v6(skb, &related, hooknum);
>
> - if (related)
> - return verdict;
> - ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
> - }
> + if (related)
> + return verdict;
> + ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
> + }
> + } else
> +#endif
> + if (unlikely(iph.protocol == IPPROTO_ICMP)) {
> + int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
> +
> + if (related)
> + return verdict;
> + ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
> + }
>
> /* Protocol supported? */
> pp = ip_vs_proto_get(iph.protocol);
I see no reference to ICMPV6_PKT_TOOBIG in this patch, so ChangeLog might be
misleading or uncomplete, since other ICMPV6 message types
(ICMPV6_DEST_UNREACH/ICMPV6_TIME_EXCEED) will also be forwarded/handled ?
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
