Re: [PATCH net] ipvs: register conntrack hooks for ftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 24, 2018 at 11:40:12PM +0300, Julian Anastasov wrote:
> ip_vs_ftp requires conntrack modules for mangling
> of FTP command responses in passive mode.
> 
> Make sure the conntrack hooks are registered when
> real servers use NAT method in FTP virtual service.
> The hooks will be registered while the service is
> present.
> 
> Fixes: 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed by ruleset")
> Signed-off-by: Julian Anastasov <ja@xxxxxx>

Acked-by: Simon Horman <horms+renesas@xxxxxxxxxxxx>

Pablo, please take this into nf if it is not to much trouble.

> ---
>  include/net/ip_vs.h            | 30 ++++++++++++++++++++++++++++++
>  net/netfilter/ipvs/ip_vs_ctl.c |  4 ++++
>  2 files changed, 34 insertions(+)
> 
> diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
> index eb0bec0..ae72d90 100644
> --- a/include/net/ip_vs.h
> +++ b/include/net/ip_vs.h
> @@ -643,6 +643,7 @@ struct ip_vs_service {
>  
>  	/* alternate persistence engine */
>  	struct ip_vs_pe __rcu	*pe;
> +	int			conntrack_afmask;
>  
>  	struct rcu_head		rcu_head;
>  };
> @@ -1620,6 +1621,35 @@ static inline bool ip_vs_conn_uses_conntrack(struct ip_vs_conn *cp,
>  	return false;
>  }
>  
> +static inline int ip_vs_register_conntrack(struct ip_vs_service *svc)
> +{
> +#if IS_ENABLED(CONFIG_NF_CONNTRACK)
> +	int afmask = (svc->af == AF_INET6) ? 2 : 1;
> +	int ret = 0;
> +
> +	if (!(svc->conntrack_afmask & afmask)) {
> +		ret = nf_ct_netns_get(svc->ipvs->net, svc->af);
> +		if (ret >= 0)
> +			svc->conntrack_afmask |= afmask;
> +	}
> +	return ret;
> +#else
> +	return 0;
> +#endif
> +}
> +
> +static inline void ip_vs_unregister_conntrack(struct ip_vs_service *svc)
> +{
> +#if IS_ENABLED(CONFIG_NF_CONNTRACK)
> +	int afmask = (svc->af == AF_INET6) ? 2 : 1;
> +
> +	if (svc->conntrack_afmask & afmask) {
> +		nf_ct_netns_put(svc->ipvs->net, svc->af);
> +		svc->conntrack_afmask &= ~afmask;
> +	}
> +#endif
> +}
> +
>  static inline int
>  ip_vs_dest_conn_overhead(struct ip_vs_dest *dest)
>  {
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 3ecca06..ee0ab27 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -835,6 +835,9 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
>  		 *    For now only for NAT!
>  		 */
>  		ip_vs_rs_hash(ipvs, dest);
> +		/* FTP-NAT requires conntrack for mangling */
> +		if (svc->port == FTPPORT)
> +			ip_vs_register_conntrack(svc);
>  	}
>  	atomic_set(&dest->conn_flags, conn_flags);
>  
> @@ -1458,6 +1461,7 @@ static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup)
>   */
>  static void ip_vs_unlink_service(struct ip_vs_service *svc, bool cleanup)
>  {
> +	ip_vs_unregister_conntrack(svc);
>  	/* Hold svc to avoid double release from dest_trash */
>  	atomic_inc(&svc->refcnt);
>  	/*
> -- 
> 2.9.5
> 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux