On Tuesday 2009-04-28 17:00, Simon Horman wrote:
>> >Index: net-next-2.6/net/netfilter/ipvs/ip_vs_conn.c
>> >===================================================================
>> >--- net-next-2.6.orig/net/netfilter/ipvs/ip_vs_conn.c 2009-04-28 20:37:48.000000000 +1000
>> >+++ net-next-2.6/net/netfilter/ipvs/ip_vs_conn.c 2009-04-28 20:37:51.000000000 +1000
>> >@@ -260,7 +260,10 @@ struct ip_vs_conn *ip_vs_ct_in_get
>> > list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
>> > if (cp->af == af &&
>> > ip_vs_addr_equal(af, s_addr, &cp->caddr) &&
>> >- ip_vs_addr_equal(af, d_addr, &cp->vaddr) &&
>> >+ /* protocol should only be IPPROTO_IP if
>> >+ * d_addr is a fwmark */
>> >+ ip_vs_addr_equal(protocol == IPPROTO_IP ? AF_UNSPEC : af,
>> >+ d_addr, &cp->vaddr) &&
>>
>> What about IPPROTO_IPV6?
>
>I believe that the value IPPROTO_IP is only used in the case of fwmark.
>Here is a explanation of why.
>
>1) If a fwmark in use, then it is set to IPPROTO_IP when dealing
> with templates for persistance.
>2) If the entry is created by the FTP helper, IPPROTO_TCP is used.
>3) If the entry is created by syncrhonisation of the table of another
> machine, then the protocol used in the foreign entry is used -
> which would have been set by one of these 4 cases.
>4) Otherwise the value of iph.protocol is used.
That sounds a bit like whenever you get an IPIP packet,
IPVS will erroneously think it is operating on an fwmark-based address.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
