On Thu, May 24, 2018 at 11:40:12PM +0300, Julian Anastasov wrote: > ip_vs_ftp requires conntrack modules for mangling > of FTP command responses in passive mode. > > Make sure the conntrack hooks are registered when > real servers use NAT method in FTP virtual service. > The hooks will be registered while the service is > present. > > Fixes: 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed by ruleset") > Signed-off-by: Julian Anastasov <ja@xxxxxx> Acked-by: Simon Horman <horms+renesas@xxxxxxxxxxxx> Pablo, please take this into nf if it is not to much trouble. > --- > include/net/ip_vs.h | 30 ++++++++++++++++++++++++++++++ > net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++ > 2 files changed, 34 insertions(+) > > diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h > index eb0bec0..ae72d90 100644 > --- a/include/net/ip_vs.h > +++ b/include/net/ip_vs.h > @@ -643,6 +643,7 @@ struct ip_vs_service { > > /* alternate persistence engine */ > struct ip_vs_pe __rcu *pe; > + int conntrack_afmask; > > struct rcu_head rcu_head; > }; > @@ -1620,6 +1621,35 @@ static inline bool ip_vs_conn_uses_conntrack(struct ip_vs_conn *cp, > return false; > } > > +static inline int ip_vs_register_conntrack(struct ip_vs_service *svc) > +{ > +#if IS_ENABLED(CONFIG_NF_CONNTRACK) > + int afmask = (svc->af == AF_INET6) ? 2 : 1; > + int ret = 0; > + > + if (!(svc->conntrack_afmask & afmask)) { > + ret = nf_ct_netns_get(svc->ipvs->net, svc->af); > + if (ret >= 0) > + svc->conntrack_afmask |= afmask; > + } > + return ret; > +#else > + return 0; > +#endif > +} > + > +static inline void ip_vs_unregister_conntrack(struct ip_vs_service *svc) > +{ > +#if IS_ENABLED(CONFIG_NF_CONNTRACK) > + int afmask = (svc->af == AF_INET6) ? 2 : 1; > + > + if (svc->conntrack_afmask & afmask) { > + nf_ct_netns_put(svc->ipvs->net, svc->af); > + svc->conntrack_afmask &= ~afmask; > + } > +#endif > +} > + > static inline int > ip_vs_dest_conn_overhead(struct ip_vs_dest *dest) > { > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c > index 3ecca06..ee0ab27 100644 > --- a/net/netfilter/ipvs/ip_vs_ctl.c > +++ b/net/netfilter/ipvs/ip_vs_ctl.c > @@ -835,6 +835,9 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, > * For now only for NAT! > */ > ip_vs_rs_hash(ipvs, dest); > + /* FTP-NAT requires conntrack for mangling */ > + if (svc->port == FTPPORT) > + ip_vs_register_conntrack(svc); > } > atomic_set(&dest->conn_flags, conn_flags); > > @@ -1458,6 +1461,7 @@ static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup) > */ > static void ip_vs_unlink_service(struct ip_vs_service *svc, bool cleanup) > { > + ip_vs_unregister_conntrack(svc); > /* Hold svc to avoid double release from dest_trash */ > atomic_inc(&svc->refcnt); > /* > -- > 2.9.5 > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html