On Sat, Feb 9, 2019 at 9:15 AM Julian Anastasov <ja@xxxxxx> wrote:
>
>
> Hello,
>
> On Thu, 7 Feb 2019, Andrea Claudi wrote:
>
> > ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
> > but lacks proper kconfig dependencies and does not explicitly
> > request defrag features.
> >
> > As a result, if netfilter hooks are not loaded, when IPv6 fragmented
> > packet are handled by ipvs only the first fragment makes through.
> >
> > Fix it properly declaring the dependency on Kconfig and registering
> > netfilter hooks on __ip_vs_init().
> >
> > Reported-by: Li Shuang <shuali@xxxxxxxxxx>
> > Signed-off-by: Andrea Claudi <aclaudi@xxxxxxxxxx>
> > ---
> > net/netfilter/ipvs/Kconfig | 1 +
> > net/netfilter/ipvs/ip_vs_core.c | 16 ++++++++++------
> > 2 files changed, 11 insertions(+), 6 deletions(-)
> >
> > diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
> > index cad48d07c818..8401cefd9f65 100644
> > --- a/net/netfilter/ipvs/Kconfig
> > +++ b/net/netfilter/ipvs/Kconfig
> > @@ -29,6 +29,7 @@ config IP_VS_IPV6
> > bool "IPv6 support for IPVS"
> > depends on IPV6 = y || IP_VS = IPV6
> > select IP6_NF_IPTABLES
> > + select NF_DEFRAG_IPV6
> > ---help---
> > Add IPv6 support to IPVS.
> >
> > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> > index fe9abf3cc10a..7f9c6a563139 100644
> > --- a/net/netfilter/ipvs/ip_vs_core.c
> > +++ b/net/netfilter/ipvs/ip_vs_core.c
> > @@ -49,6 +49,7 @@
> > #ifdef CONFIG_IP_VS_IPV6
> > #include <net/ipv6.h>
> > #include <linux/netfilter_ipv6.h>
> > +#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
> > #include <net/ip6_route.h>
> > #endif
> >
> > @@ -1536,14 +1537,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
> > /* sorry, all this trouble for a no-hit :) */
> > IP_VS_DBG_PKT(12, af, pp, skb, iph->off,
> > "ip_vs_in: packet continues traversal as normal");
> > - if (iph->fragoffs) {
> > - /* Fragment that couldn't be mapped to a conn entry
> > - * is missing module nf_defrag_ipv6
> > - */
> > - IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
> > +
> > + /* Fragment couldn't be mapped to a conn entry */
> > + if (iph->fragoffs)
> > IP_VS_DBG_PKT(7, af, pp, skb, iph->off,
> > "unhandled fragment");
> > - }
> > +
> > *verdict = NF_ACCEPT;
> > return 0;
> > }
> > @@ -2251,6 +2250,11 @@ static int __net_init __ip_vs_init(struct net *net)
> > if (ip_vs_sync_net_init(ipvs) < 0)
> > goto sync_fail;
> >
> > +#ifdef CONFIG_IP_VS_IPV6
> > + if (nf_defrag_ipv6_enable(net) < 0)
> > + goto hook_fail;
> > +#endif
>
> Can we move above code in 2 places for further optimization?:
>
> 1. ip_vs_add_service: in the existing CONFIG_IP_VS_IPV6 if-block,
> use ipvs->net
>
> 2. ip_vs_new_dest: in the existing CONFIG_IP_VS_IPV6 if-block, use
> svc->ipvs->net
>
> Second case is needed when we use mixed address family,
> i.e. svc->af = AF_INET and dest->af = AF_INET6
>
> As result, defrag hooks will be registered not when
> module is loaded but when IPVS is configured to use IPv6.
Hi Julian,
ACK. I'll change this in v2.
Regards,
Andrea
> > +
> > ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
> > if (ret < 0)
> > goto hook_fail;
> > --
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>
