[Devel] [PATCH RHEL7 COMMIT] Revert "ms/ipvs: drop conn templates under attack"

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 14 19:20:01 MSK 2024 

The commit is pushed to "branch-rh7-3.10.0-1160.114.2.vz7.222.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.114.2.vz7.222.2
------>
commit de8058eaa157af0d1133899ca1026424fa9e1fb6
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Jun 14 19:18:36 2024 +0300

    Revert "ms/ipvs: drop conn templates under attack"
    
    This reverts commit c9f04a125c5422268548b5682ee3aacf91a22ce5.
    
    Technical revert, the patch should have couple preparation commits.
    
    https://virtuozzo.atlassian.net/browse/PSBM-156080
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/netfilter/ipvs/ip_vs_conn.c | 59 ++++++++++++++---------------------------
 1 file changed, 20 insertions(+), 39 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index dec5800a2769..d71661bf1641 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -807,23 +807,12 @@ static void ip_vs_conn_expire(unsigned long data)
 
 	/* Unlink conn if not referenced anymore */
 	if (likely(ip_vs_conn_unlink(cp))) {
-		struct ip_vs_conn *ct = cp->control;
-
 		/* delete the timer if it is activated by other users */
 		del_timer(&cp->timer);
 
 		/* does anybody control me? */
-		if (ct) {
+		if (cp->control)
 			ip_vs_control_del(cp);
-			/* Drop CTL or non-assured TPL if not used anymore */
-			if (!cp->timeout && !atomic_read(&ct->n_control) &&
-			    (!(ct->flags & IP_VS_CONN_F_TEMPLATE) ||
-			     !(ct->state & IP_VS_CTPL_S_ASSURED))) {
-				IP_VS_DBG(4, "drop controlling connection\n");
-				ct->timeout = 0;
-				ip_vs_conn_expire_now(ct);
-			}
-		}
 
 		if ((cp->flags & IP_VS_CONN_F_NFCT) &&
 		    !(cp->flags & IP_VS_CONN_F_ONE_PACKET)) {
@@ -866,10 +855,6 @@ static void ip_vs_conn_expire(unsigned long data)
 
 /* Modify timer, so that it expires as soon as possible.
  * Can be called without reference only if under RCU lock.
- * We can have such chain of conns linked with ->control: DATA->CTL->TPL
- * - DATA (eg. FTP) and TPL (persistence) can be present depending on setup
- * - cp->timeout=0 indicates all conns from chain should be dropped but
- * TPL is not dropped if in assured state
  */
 void ip_vs_conn_expire_now(struct ip_vs_conn *cp)
 {
@@ -1206,11 +1191,8 @@ static const struct file_operations ip_vs_conn_sync_fops = {
 #endif
 
 
-/* Randomly drop connection entries before running out of memory
- * Can be used for DATA and CTL conns. For TPL conns there are exceptions:
- * - traffic for services in OPS mode increases ct->in_pkts, so it is supported
- * - traffic for services not in OPS mode does not increase ct->in_pkts in
- * all cases, so it is not supported
+/*
+ *      Randomly drop connection entries before running out of memory
  */
 static inline int todrop_entry(struct ip_vs_conn *cp)
 {
@@ -1254,7 +1236,7 @@ static inline bool ip_vs_conn_ops_mode(struct ip_vs_conn *cp)
 void ip_vs_random_dropentry(struct net *net)
 {
 	int idx;
-	struct ip_vs_conn *cp;
+	struct ip_vs_conn *cp, *cp_c;
 
 	/*
 	 * Randomly scan 1/32 of the whole table every second
@@ -1270,15 +1252,13 @@ void ip_vs_random_dropentry(struct net *net)
 		hlist_for_each_entry_rcu(cp, &ip_vs_conn_tab[hash], c_list) {
 			if (!ip_vs_conn_net_eq(cp, net))
 				continue;
-			if (atomic_read(&cp->n_control))
-				continue;
 			if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
-				/* connection template of OPS */
-				if (ip_vs_conn_ops_mode(cp))
+				if (atomic_read(&cp->n_control) ||
+				    !ip_vs_conn_ops_mode(cp))
+					continue;
+				else
+					/* connection template of OPS */
 					goto try_drop;
-				if (!(cp->state & IP_VS_CTPL_S_ASSURED))
-					goto drop;
-				continue;
 			}
 			if (cp->protocol == IPPROTO_TCP) {
 				switch(cp->state) {
@@ -1300,10 +1280,15 @@ void ip_vs_random_dropentry(struct net *net)
 					continue;
 			}
 
-drop:
-			IP_VS_DBG(4, "drop connection\n");
-			cp->timeout = 0;
+			IP_VS_DBG(4, "del connection\n");
 			ip_vs_conn_expire_now(cp);
+			cp_c = cp->control;
+			/* cp->control is valid only with reference to cp */
+			if (cp_c && __ip_vs_conn_get(cp)) {
+				IP_VS_DBG(4, "del conn template\n");
+				ip_vs_conn_expire_now(cp_c);
+				__ip_vs_conn_put(cp);
+			}
 		}
 		rcu_read_unlock();
 	}
@@ -1329,19 +1314,15 @@ static void ip_vs_conn_flush(struct net *net)
 		hlist_for_each_entry_rcu(cp, &ip_vs_conn_tab[idx], c_list) {
 			if (!ip_vs_conn_net_eq(cp, net))
 				continue;
-			/* As timers are expired in LIFO order, restart
-			 * the timer of controlling connection first, so
-			 * that it is expired after us.
-			 */
+			IP_VS_DBG(4, "del connection\n");
+			ip_vs_conn_expire_now(cp);
 			cp_c = cp->control;
 			/* cp->control is valid only with reference to cp */
 			if (cp_c && __ip_vs_conn_get(cp)) {
-				IP_VS_DBG(4, "del controlling connection\n");
+				IP_VS_DBG(4, "del conn template\n");
 				ip_vs_conn_expire_now(cp_c);
 				__ip_vs_conn_put(cp);
 			}
-			IP_VS_DBG(4, "del connection\n");
-			ip_vs_conn_expire_now(cp);
 		}
 		rcu_read_unlock();
 	}

More information about the Devel mailing list