On Wed, Apr 27, 2016 at 10:27:41AM +0300, Julian Anastasov wrote: > > Hello, > > On Tue, 26 Apr 2016, Marco Angaroni wrote: > > > DoS protection policy that deletes connections to avoid out of memory is > > currently not effective for SIP-pe plus OPS-mode for two reasons: > > 1) connection templates (holding SIP call-id) are always skipped in > > ip_vs_random_dropentry() > > 2) in_pkts counter (used by drop_entry algorithm) is not incremented > > for connection templates > > > > This patch addresses such problems with the following changes: > > a) connection templates associated (via their dest) to virtual-services > > configured in OPS mode are included in ip_vs_random_dropentry() > > monitoring. This applies to SIP-pe over UDP (which requires OPS mode), > > but is more general principle: when OPS is controlled by templates > > memory can be used only by templates themselves, since OPS conns are > > deleted after packet is forwarded. > > b) OPS connections, if controlled by a template, cause increment of > > in_pkts counter of their template. This is already happening but only > > in case director is in master-slave mode (see ip_vs_sync_conn()). > > > > Signed-off-by: Marco Angaroni <marcoangaroni@xxxxxxxxx> > > Looks good to me. Simon, please apply to -next. > > Acked-by: Julian Anastasov <ja@xxxxxx> Thanks, applied. -- To unsubscribe from this list: send the line "unsubscribe lvs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
