On Thu, Sep 02, 2010 at 02:41:35AM +0300, Julian Anastasov wrote: > > Fix Active FTP: > > - Do not create expectation when forwarding the PORT > command to avoid blocking the connection. The problem is that > nf_conntrack_ftp.c:help() tries to create the same expectation > later in POST_ROUTING and drops the packet with "dropping packet" > message after failure in nf_ct_expect_related. > > - Change ip_vs_update_conntrack to alter the conntrack > for related connections from real server. If we do not alter > the reply in this direction the next packet from client > sent to vport 20 comes as NEW connection. We alter it > but may be some collision happens for both conntracks and > the second conntrack gets destroyed immediately. The connection > stucks too. > > Signed-off-by: Julian Anastasov <ja@xxxxxx> > --- Thanks, this looks good to me. I have CCed the netfilter-devel list for review there. > > This patch is for 2.6.36 > > diff -urp v2.6.36-rc2/linux/include/net/ip_vs.h linux/include/net/ip_vs.h > --- v2.6.36-rc2/linux/include/net/ip_vs.h 2010-08-26 09:11:45.000000000 +0300 > +++ linux/include/net/ip_vs.h 2010-09-02 01:10:31.000000000 +0300 > @@ -955,6 +955,9 @@ static inline __wsum ip_vs_check_diff2(_ > return csum_partial(diff, sizeof(diff), oldsum); > } > > +extern void ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, > + int outin); > + > #endif /* __KERNEL__ */ > > #endif /* _NET_IP_VS_H */ > diff -urp v2.6.36-rc2/linux/net/netfilter/ipvs/ip_vs_core.c linux/net/netfilter/ipvs/ip_vs_core.c > --- v2.6.36-rc2/linux/net/netfilter/ipvs/ip_vs_core.c 2010-08-26 09:11:47.000000000 +0300 > +++ linux/net/netfilter/ipvs/ip_vs_core.c 2010-09-02 01:08:36.000000000 +0300 > @@ -924,6 +924,7 @@ handle_response(int af, struct sk_buff * > > ip_vs_out_stats(cp, skb); > ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp); > + ip_vs_update_conntrack(skb, cp, 0); > ip_vs_conn_put(cp); > > skb->ipvs_property = 1; > diff -urp v2.6.36-rc2/linux/net/netfilter/ipvs/ip_vs_ftp.c linux/net/netfilter/ipvs/ip_vs_ftp.c > --- v2.6.36-rc2/linux/net/netfilter/ipvs/ip_vs_ftp.c 2010-08-26 09:11:47.000000000 +0300 > +++ linux/net/netfilter/ipvs/ip_vs_ftp.c 2010-09-02 00:45:54.000000000 +0300 > @@ -409,7 +409,6 @@ static int ip_vs_ftp_in(struct ip_vs_app > union nf_inet_addr to; > __be16 port; > struct ip_vs_conn *n_cp; > - struct nf_conn *ct; > > #ifdef CONFIG_IP_VS_IPV6 > /* This application helper doesn't work with IPv6 yet, > @@ -496,11 +495,6 @@ static int ip_vs_ftp_in(struct ip_vs_app > ip_vs_control_add(n_cp, cp); > } > > - ct = (struct nf_conn *)skb->nfct; > - if (ct && ct != &nf_conntrack_untracked) > - ip_vs_expect_related(skb, ct, n_cp, > - IPPROTO_TCP, &n_cp->dport, 1); > - > /* > * Move tunnel to listen state > */ > diff -urp v2.6.36-rc2/linux/net/netfilter/ipvs/ip_vs_xmit.c linux/net/netfilter/ipvs/ip_vs_xmit.c > --- v2.6.36-rc2/linux/net/netfilter/ipvs/ip_vs_xmit.c 2010-08-26 09:11:47.000000000 +0300 > +++ linux/net/netfilter/ipvs/ip_vs_xmit.c 2010-09-02 01:04:16.000000000 +0300 > @@ -349,8 +349,8 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb > } > #endif > > -static void > -ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp) > +void > +ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin) > { > struct nf_conn *ct = (struct nf_conn *)skb->nfct; > struct nf_conntrack_tuple new_tuple; > @@ -365,11 +365,17 @@ ip_vs_update_conntrack(struct sk_buff *s > * real-server we will see RIP->DIP. > */ > new_tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; > - new_tuple.src.u3 = cp->daddr; > + if (outin) > + new_tuple.src.u3 = cp->daddr; > + else > + new_tuple.dst.u3 = cp->vaddr; > /* > * This will also take care of UDP and other protocols. > */ > - new_tuple.src.u.tcp.port = cp->dport; > + if (outin) > + new_tuple.src.u.tcp.port = cp->dport; > + else > + new_tuple.dst.u.tcp.port = cp->vport; > nf_conntrack_alter_reply(ct, &new_tuple); > } > > @@ -428,7 +434,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, stru > > IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT"); > > - ip_vs_update_conntrack(skb, cp); > + ip_vs_update_conntrack(skb, cp, 1); > > /* FIXME: when application helper enlarges the packet and the length > is larger than the MTU of outgoing device, there will be still > @@ -506,7 +512,7 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, s > > IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT"); > > - ip_vs_update_conntrack(skb, cp); > + ip_vs_update_conntrack(skb, cp, 1); > > /* FIXME: when application helper enlarges the packet and the length > is larger than the MTU of outgoing device, there will be still -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html