The commit is pushed to "branch-rh7-3.10.0-1160.114.2.vz7.222.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.114.2.vz7.222.2
------>
commit de8058eaa157af0d1133899ca1026424fa9e1fb6
Author: Konstantin Khorenko <khore...@virtuozzo.com>
Date: Fri Jun 14 19:18:36 2024 +0300
Revert "ms/ipvs: drop conn templates under attack"
This reverts commit c9f04a125c5422268548b5682ee3aacf91a22ce5.
Technical revert, the patch should have couple preparation commits.
https://virtuozzo.atlassian.net/browse/PSBM-156080
Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
---
net/netfilter/ipvs/ip_vs_conn.c | 59 ++++++++++++++---------------------------
1 file changed, 20 insertions(+), 39 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index dec5800a2769..d71661bf1641 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -807,23 +807,12 @@ static void ip_vs_conn_expire(unsigned long data)
/* Unlink conn if not referenced anymore */
if (likely(ip_vs_conn_unlink(cp))) {
- struct ip_vs_conn *ct = cp->control;
-
/* delete the timer if it is activated by other users */
del_timer(&cp->timer);
/* does anybody control me? */
- if (ct) {
+ if (cp->control)
ip_vs_control_del(cp);
- /* Drop CTL or non-assured TPL if not used anymore */
- if (!cp->timeout && !atomic_read(&ct->n_control) &&
- (!(ct->flags & IP_VS_CONN_F_TEMPLATE) ||
- !(ct->state & IP_VS_CTPL_S_ASSURED))) {
- IP_VS_DBG(4, "drop controlling connection\n");
- ct->timeout = 0;
- ip_vs_conn_expire_now(ct);
- }
- }
if ((cp->flags & IP_VS_CONN_F_NFCT) &&
!(cp->flags & IP_VS_CONN_F_ONE_PACKET)) {
@@ -866,10 +855,6 @@ static void ip_vs_conn_expire(unsigned long data)
/* Modify timer, so that it expires as soon as possible.
* Can be called without reference only if under RCU lock.
- * We can have such chain of conns linked with ->control: DATA->CTL->TPL
- * - DATA (eg. FTP) and TPL (persistence) can be present depending on setup
- * - cp->timeout=0 indicates all conns from chain should be dropped but
- * TPL is not dropped if in assured state
*/
void ip_vs_conn_expire_now(struct ip_vs_conn *cp)
{
@@ -1206,11 +1191,8 @@ static const struct file_operations ip_vs_conn_sync_fops
= {
#endif
-/* Randomly drop connection entries before running out of memory
- * Can be used for DATA and CTL conns. For TPL conns there are exceptions:
- * - traffic for services in OPS mode increases ct->in_pkts, so it is supported
- * - traffic for services not in OPS mode does not increase ct->in_pkts in
- * all cases, so it is not supported
+/*
+ * Randomly drop connection entries before running out of memory
*/
static inline int todrop_entry(struct ip_vs_conn *cp)
{
@@ -1254,7 +1236,7 @@ static inline bool ip_vs_conn_ops_mode(struct ip_vs_conn
*cp)
void ip_vs_random_dropentry(struct net *net)
{
int idx;
- struct ip_vs_conn *cp;
+ struct ip_vs_conn *cp, *cp_c;
/*
* Randomly scan 1/32 of the whole table every second
@@ -1270,15 +1252,13 @@ void ip_vs_random_dropentry(struct net *net)
hlist_for_each_entry_rcu(cp, &ip_vs_conn_tab[hash], c_list) {
if (!ip_vs_conn_net_eq(cp, net))
continue;
- if (atomic_read(&cp->n_control))
- continue;
if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
- /* connection template of OPS */
- if (ip_vs_conn_ops_mode(cp))
+ if (atomic_read(&cp->n_control) ||
+ !ip_vs_conn_ops_mode(cp))
+ continue;
+ else
+ /* connection template of OPS */
goto try_drop;
- if (!(cp->state & IP_VS_CTPL_S_ASSURED))
- goto drop;
- continue;
}
if (cp->protocol == IPPROTO_TCP) {
switch(cp->state) {
@@ -1300,10 +1280,15 @@ void ip_vs_random_dropentry(struct net *net)
continue;
}
-drop:
- IP_VS_DBG(4, "drop connection\n");
- cp->timeout = 0;
+ IP_VS_DBG(4, "del connection\n");
ip_vs_conn_expire_now(cp);
+ cp_c = cp->control;
+ /* cp->control is valid only with reference to cp */
+ if (cp_c && __ip_vs_conn_get(cp)) {
+ IP_VS_DBG(4, "del conn template\n");
+ ip_vs_conn_expire_now(cp_c);
+ __ip_vs_conn_put(cp);
+ }
}
rcu_read_unlock();
}
@@ -1329,19 +1314,15 @@ static void ip_vs_conn_flush(struct net *net)
hlist_for_each_entry_rcu(cp, &ip_vs_conn_tab[idx], c_list) {
if (!ip_vs_conn_net_eq(cp, net))
continue;
- /* As timers are expired in LIFO order, restart
- * the timer of controlling connection first, so
- * that it is expired after us.
- */
+ IP_VS_DBG(4, "del connection\n");
+ ip_vs_conn_expire_now(cp);
cp_c = cp->control;
/* cp->control is valid only with reference to cp */
if (cp_c && __ip_vs_conn_get(cp)) {
- IP_VS_DBG(4, "del controlling connection\n");
+ IP_VS_DBG(4, "del conn template\n");
ip_vs_conn_expire_now(cp_c);
__ip_vs_conn_put(cp);
}
- IP_VS_DBG(4, "del connection\n");
- ip_vs_conn_expire_now(cp);
}
rcu_read_unlock();
}
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
