[Devel] [PATCH RH7 0/4] do not rely on missing rtcache in vzprivnet_hook
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Wed Oct 19 05:20:53 PDT 2016
vzprivnet filter relies on dst.privnet_mark is per saddr+daddr pair.
But rt_hash_table was removed in ms kernel v3.6, commit 89aef8921bfb
("ipv4: Delete routing cache."). And now different saddr+daddr pairs
can have same routing dst_entry, and thus same pmark variable, and
vzprivnet filter fails to filter these pairs(blocks both or allows
both depending on which connection was first, the one we need to
block or allow).
These is the try to return plain vzprivnet_hook which was without
caching, so we would always do explicit vzprivnet_classify. If after
these change the network would not become very slow (not much than
~10% slower) we seem to be able to leave with it.
note: We do the same in vzprivnet6_hook, except that private networks
are in radix tree instead of rbtree as for vzprivnet_hook.
https://jira.sw.ru/browse/PSBM-53646
Pavel Tikhomirov (4):
Revert "vzprivnet: rt cache drop on vzprivnet update"
Revert "vzprivnet: Flush rt cache each time rules change"
vzprivnet: remove dst.privnet_mark usage as it is no more rtcached
Revert "VZPRIVNET: cache filtering result on dst"
include/net/dst.h | 2 --
net/core/dst.c | 1 -
net/ipv4/netfilter/ip_vzprivnet.c | 63 +++++++--------------------------------
3 files changed, 10 insertions(+), 56 deletions(-)
--
2.7.4
More information about the Devel
mailing list