Hello,
On Tue, 8 Sep 2015, Simon Horman wrote:
> I have squashed my change into Alex's patch and pushed the result.
> For reference it is as follows:
>
> From: Alex Gartrell <agartrell@xxxxxx>
> Subject: [PATCH] ipvs: support scheduling inverse and icmp SCTP packets
>
> In the event of an icmp packet, take only the ports instead of trying to
> grab the full header.
>
> In the event of an inverse packet, use the source address and port.
>
> Signed-off-by: Alex Gartrell <agartrell@xxxxxx>
> Acked-by: Julian Anastasov <ja@xxxxxx>
> [horms: initialise 'ipvs' before it is used]
> Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>
> ---
> net/netfilter/ipvs/ip_vs_proto_sctp.c | 46 +++++++++++++++++++----------------
> 1 file changed, 25 insertions(+), 21 deletions(-)
>
> diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
> index cd2984f3dad7..e000e6e76d71 100644
> --- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
> +++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
> @@ -13,37 +13,41 @@ sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
> int *verdict, struct ip_vs_conn **cpp,
> struct ip_vs_iphdr *iph)
> {
> - struct net *net;
> + struct net *net = skb_net(skb);
> + struct netns_ipvs *ipvs = net_ipvs(net);
Looks good, thanks!
> struct ip_vs_service *svc;
> - struct netns_ipvs *ipvs;
> sctp_chunkhdr_t _schunkh, *sch;
> sctp_sctphdr_t *sh, _sctph;
> -
> - if (ip_vs_iph_icmp(iph)) {
> - /* TEMPORARY - do not schedule icmp yet */
> - *verdict = NF_ACCEPT;
> - return 0;
> - }
> -
> - sh = skb_header_pointer(skb, iph->len, sizeof(_sctph), &_sctph);
> - if (sh == NULL) {
> - *verdict = NF_DROP;
> - return 0;
> + __be16 _ports[2], *ports = NULL;
> +
> + if (likely(!ip_vs_iph_icmp(iph))) {
> + sh = skb_header_pointer(skb, iph->len, sizeof(_sctph), &_sctph);
> + if (sh) {
> + sch = skb_header_pointer(
> + skb, iph->len + sizeof(sctp_sctphdr_t),
> + sizeof(_schunkh), &_schunkh);
> + if (sch && (sch->type == SCTP_CID_INIT ||
> + sysctl_sloppy_sctp(ipvs)))
> + ports = &sh->source;
> + }
> + } else {
> + ports = skb_header_pointer(
> + skb, iph->len, sizeof(_ports), &_ports);
> }
>
> - sch = skb_header_pointer(skb, iph->len + sizeof(sctp_sctphdr_t),
> - sizeof(_schunkh), &_schunkh);
> - if (sch == NULL) {
> + if (!ports) {
> *verdict = NF_DROP;
> return 0;
> }
>
> - net = skb_net(skb);
> - ipvs = net_ipvs(net);
> rcu_read_lock();
> - if ((sch->type == SCTP_CID_INIT || sysctl_sloppy_sctp(ipvs)) &&
> - (svc = ip_vs_service_find(net, af, skb->mark, iph->protocol,
> - &iph->daddr, sh->dest))) {
> + if (likely(!ip_vs_iph_inverse(iph)))
> + svc = ip_vs_service_find(net, af, skb->mark, iph->protocol,
> + &iph->daddr, ports[1]);
> + else
> + svc = ip_vs_service_find(net, af, skb->mark, iph->protocol,
> + &iph->saddr, ports[0]);
> + if (svc) {
> int ignored;
>
> if (ip_vs_todrop(ipvs)) {
Regards
--
Julian Anastasov <ja@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
