ipvs: make rerouting optional with snat_reroute
Add new sysctl flag "snat_reroute". Recent kernels use ip_route_me_harder() to route LVS-NAT responses properly by VIP when there are multiple paths to client. But setups that do not have alternative default routes can skip this routing lookup by using snat_reroute=0. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
f4bc17cdd2
commit
8a8030407f
|
@ -801,6 +801,7 @@ extern int sysctl_ip_vs_expire_quiescent_template;
|
||||||
extern int sysctl_ip_vs_sync_threshold[2];
|
extern int sysctl_ip_vs_sync_threshold[2];
|
||||||
extern int sysctl_ip_vs_nat_icmp_send;
|
extern int sysctl_ip_vs_nat_icmp_send;
|
||||||
extern int sysctl_ip_vs_conntrack;
|
extern int sysctl_ip_vs_conntrack;
|
||||||
|
extern int sysctl_ip_vs_snat_reroute;
|
||||||
extern struct ip_vs_stats ip_vs_stats;
|
extern struct ip_vs_stats ip_vs_stats;
|
||||||
extern const struct ctl_path net_vs_ctl_path[];
|
extern const struct ctl_path net_vs_ctl_path[];
|
||||||
|
|
||||||
|
|
|
@ -929,20 +929,31 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
|
||||||
ip_send_check(ip_hdr(skb));
|
ip_send_check(ip_hdr(skb));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* nf_iterate does not expect change in the skb->dst->dev.
|
||||||
|
* It looks like it is not fatal to enable this code for hooks
|
||||||
|
* where our handlers are at the end of the chain list and
|
||||||
|
* when all next handlers use skb->dst->dev and not outdev.
|
||||||
|
* It will definitely route properly the inout NAT traffic
|
||||||
|
* when multiple paths are used.
|
||||||
|
*/
|
||||||
|
|
||||||
/* For policy routing, packets originating from this
|
/* For policy routing, packets originating from this
|
||||||
* machine itself may be routed differently to packets
|
* machine itself may be routed differently to packets
|
||||||
* passing through. We want this packet to be routed as
|
* passing through. We want this packet to be routed as
|
||||||
* if it came from this machine itself. So re-compute
|
* if it came from this machine itself. So re-compute
|
||||||
* the routing information.
|
* the routing information.
|
||||||
*/
|
*/
|
||||||
|
if (sysctl_ip_vs_snat_reroute) {
|
||||||
#ifdef CONFIG_IP_VS_IPV6
|
#ifdef CONFIG_IP_VS_IPV6
|
||||||
if (af == AF_INET6) {
|
if (af == AF_INET6) {
|
||||||
if (ip6_route_me_harder(skb) != 0)
|
if (ip6_route_me_harder(skb) != 0)
|
||||||
goto drop;
|
goto drop;
|
||||||
} else
|
} else
|
||||||
#endif
|
#endif
|
||||||
if (ip_route_me_harder(skb, RTN_LOCAL) != 0)
|
if (ip_route_me_harder(skb, RTN_LOCAL) != 0)
|
||||||
goto drop;
|
goto drop;
|
||||||
|
}
|
||||||
|
|
||||||
IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
|
IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
|
||||||
|
|
||||||
|
@ -991,8 +1002,13 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb,
|
||||||
if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
|
if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
|
||||||
int related, verdict = ip_vs_out_icmp_v6(skb, &related);
|
int related, verdict = ip_vs_out_icmp_v6(skb, &related);
|
||||||
|
|
||||||
if (related)
|
if (related) {
|
||||||
|
if (sysctl_ip_vs_snat_reroute &&
|
||||||
|
NF_ACCEPT == verdict &&
|
||||||
|
ip6_route_me_harder(skb))
|
||||||
|
verdict = NF_DROP;
|
||||||
return verdict;
|
return verdict;
|
||||||
|
}
|
||||||
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
|
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
|
||||||
}
|
}
|
||||||
} else
|
} else
|
||||||
|
@ -1000,8 +1016,13 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb,
|
||||||
if (unlikely(iph.protocol == IPPROTO_ICMP)) {
|
if (unlikely(iph.protocol == IPPROTO_ICMP)) {
|
||||||
int related, verdict = ip_vs_out_icmp(skb, &related);
|
int related, verdict = ip_vs_out_icmp(skb, &related);
|
||||||
|
|
||||||
if (related)
|
if (related) {
|
||||||
|
if (sysctl_ip_vs_snat_reroute &&
|
||||||
|
NF_ACCEPT == verdict &&
|
||||||
|
ip_route_me_harder(skb, RTN_LOCAL))
|
||||||
|
verdict = NF_DROP;
|
||||||
return verdict;
|
return verdict;
|
||||||
|
}
|
||||||
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
|
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -91,6 +91,7 @@ int sysctl_ip_vs_nat_icmp_send = 0;
|
||||||
#ifdef CONFIG_IP_VS_NFCT
|
#ifdef CONFIG_IP_VS_NFCT
|
||||||
int sysctl_ip_vs_conntrack;
|
int sysctl_ip_vs_conntrack;
|
||||||
#endif
|
#endif
|
||||||
|
int sysctl_ip_vs_snat_reroute = 1;
|
||||||
|
|
||||||
|
|
||||||
#ifdef CONFIG_IP_VS_DEBUG
|
#ifdef CONFIG_IP_VS_DEBUG
|
||||||
|
@ -1599,6 +1600,13 @@ static struct ctl_table vs_vars[] = {
|
||||||
.mode = 0644,
|
.mode = 0644,
|
||||||
.proc_handler = proc_do_defense_mode,
|
.proc_handler = proc_do_defense_mode,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.procname = "snat_reroute",
|
||||||
|
.data = &sysctl_ip_vs_snat_reroute,
|
||||||
|
.maxlen = sizeof(int),
|
||||||
|
.mode = 0644,
|
||||||
|
.proc_handler = &proc_dointvec,
|
||||||
|
},
|
||||||
#if 0
|
#if 0
|
||||||
{
|
{
|
||||||
.procname = "timeout_established",
|
.procname = "timeout_established",
|
||||||
|
|
Loading…
Reference in New Issue