Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4e144d3a authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
The following batch contains Netfilter/IPVS updates for net-next,
they are:

* Enforce policy to several nfnetlink subsystem, from Daniel
  Borkmann.

* Use xt_socket to match the third packet (to perform simplistic
  socket-based stateful filtering), from Eric Dumazet.

* Avoid large timeout for picked up from the middle TCP flows,
  from Florian Westphal.

* Exclude IPVS from struct net if IPVS is disabled and removal
  of unnecessary included header file, from JunweiZhang.

* Release SCTP connection immediately under load, to mimic current
  TCP behaviour, from Julian Anastasov.

* Replace and enhance SCTP state machine, from Julian Anastasov.

* Add tweak to reduce sync traffic in the presence of persistence,
  also from Julian Anastasov.

* Add tweak for the IPVS SH scheduler not to reject connections
  directed to a server, choose a new one instead, from Alexander
  Frolkin.

* Add support for sloppy TCP and SCTP modes, that creates state
  information on any packet, not only initial handshake packets,
  from Alexander Frolkin.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 008aebde 496e4ae7

Documentation/networking/ipvs-sysctl.txt

+13 −0
Original line number Diff line number Diff line
@@ -181,6 +181,19 @@ snat_reroute - BOOLEAN 
	always be the same as the original route so it is an optimisation

	to disable snat_reroute and avoid the recalculation.



sync_persist_mode - INTEGER

	default 0



	Controls the synchronisation of connections when using persistence



	0: All types of connections are synchronised

	1: Attempt to reduce the synchronisation traffic depending on

	the connection type. For persistent services avoid synchronisation

	for normal connections, do it only for persistence templates.

	In such case, for TCP and SCTP it may need enabling sloppy_tcp and

	sloppy_sctp flags on backup servers. For non-persistent services

	such optimization is not applied, mode 0 is assumed.



sync_version - INTEGER

	default 1

include/net/ip_vs.h

+48 −36
Original line number Diff line number Diff line
@@ -197,31 +197,6 @@ ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr) 
	}

}



/* This function is a faster version of ip_vs_fill_iph_skb().

 * Where we only populate {s,d}addr (and avoid calling ipv6_find_hdr()).

 * This is used by the some of the ip_vs_*_schedule() functions.

 * (Mostly done to avoid ABI breakage of external schedulers)

 */

static inline void

ip_vs_fill_iph_addr_only(int af, const struct sk_buff *skb,

			 struct ip_vs_iphdr *iphdr)

{

#ifdef CONFIG_IP_VS_IPV6

	if (af == AF_INET6) {

		const struct ipv6hdr *iph =

			(struct ipv6hdr *)skb_network_header(skb);

		iphdr->saddr.in6 = iph->saddr;

		iphdr->daddr.in6 = iph->daddr;

	} else

#endif

	{

		const struct iphdr *iph =

			(struct iphdr *)skb_network_header(skb);

		iphdr->saddr.ip = iph->saddr;

		iphdr->daddr.ip = iph->daddr;

	}

}



static inline void ip_vs_addr_copy(int af, union nf_inet_addr *dst,

				   const union nf_inet_addr *src)

{
@@ -405,17 +380,18 @@ enum { 
 */

enum ip_vs_sctp_states {

	IP_VS_SCTP_S_NONE,

	IP_VS_SCTP_S_INIT_CLI,

	IP_VS_SCTP_S_INIT_SER,

	IP_VS_SCTP_S_INIT_ACK_CLI,

	IP_VS_SCTP_S_INIT_ACK_SER,

	IP_VS_SCTP_S_ECHO_CLI,

	IP_VS_SCTP_S_ECHO_SER,

	IP_VS_SCTP_S_INIT1,

	IP_VS_SCTP_S_INIT,

	IP_VS_SCTP_S_COOKIE_SENT,

	IP_VS_SCTP_S_COOKIE_REPLIED,

	IP_VS_SCTP_S_COOKIE_WAIT,

	IP_VS_SCTP_S_COOKIE,

	IP_VS_SCTP_S_COOKIE_ECHOED,

	IP_VS_SCTP_S_ESTABLISHED,

	IP_VS_SCTP_S_SHUT_CLI,

	IP_VS_SCTP_S_SHUT_SER,

	IP_VS_SCTP_S_SHUT_ACK_CLI,

	IP_VS_SCTP_S_SHUT_ACK_SER,

	IP_VS_SCTP_S_SHUTDOWN_SENT,

	IP_VS_SCTP_S_SHUTDOWN_RECEIVED,

	IP_VS_SCTP_S_SHUTDOWN_ACK_SENT,

	IP_VS_SCTP_S_REJECTED,

	IP_VS_SCTP_S_CLOSED,

	IP_VS_SCTP_S_LAST

};
@@ -814,7 +790,8 @@ struct ip_vs_scheduler { 


	/* selecting a server from the given service */

	struct ip_vs_dest* (*schedule)(struct ip_vs_service *svc,

				       const struct sk_buff *skb);

				       const struct sk_buff *skb,

				       struct ip_vs_iphdr *iph);

};



/* The persistence engine object */
@@ -998,10 +975,13 @@ struct netns_ipvs { 
	int			sysctl_snat_reroute;

	int			sysctl_sync_ver;

	int			sysctl_sync_ports;

	int			sysctl_sync_persist_mode;

	unsigned long		sysctl_sync_qlen_max;

	int			sysctl_sync_sock_size;

	int			sysctl_cache_bypass;

	int			sysctl_expire_nodest_conn;

	int			sysctl_sloppy_tcp;

	int			sysctl_sloppy_sctp;

	int			sysctl_expire_quiescent_template;

	int			sysctl_sync_threshold[2];

	unsigned int		sysctl_sync_refresh_period;
@@ -1044,6 +1024,8 @@ struct netns_ipvs { 
#define DEFAULT_SYNC_THRESHOLD	3

#define DEFAULT_SYNC_PERIOD	50

#define DEFAULT_SYNC_VER	1

#define DEFAULT_SLOPPY_TCP	0

#define DEFAULT_SLOPPY_SCTP	0

#define DEFAULT_SYNC_REFRESH_PERIOD	(0U * HZ)

#define DEFAULT_SYNC_RETRIES		0

#define IPVS_SYNC_WAKEUP_RATE	8
@@ -1080,11 +1062,26 @@ static inline int sysctl_sync_ver(struct netns_ipvs *ipvs) 
	return ipvs->sysctl_sync_ver;

}



static inline int sysctl_sloppy_tcp(struct netns_ipvs *ipvs)

{

	return ipvs->sysctl_sloppy_tcp;

}



static inline int sysctl_sloppy_sctp(struct netns_ipvs *ipvs)

{

	return ipvs->sysctl_sloppy_sctp;

}



static inline int sysctl_sync_ports(struct netns_ipvs *ipvs)

{

	return ACCESS_ONCE(ipvs->sysctl_sync_ports);

}



static inline int sysctl_sync_persist_mode(struct netns_ipvs *ipvs)

{

	return ipvs->sysctl_sync_persist_mode;

}



static inline unsigned long sysctl_sync_qlen_max(struct netns_ipvs *ipvs)

{

	return ipvs->sysctl_sync_qlen_max;
@@ -1133,11 +1130,26 @@ static inline int sysctl_sync_ver(struct netns_ipvs *ipvs) 
	return DEFAULT_SYNC_VER;

}



static inline int sysctl_sloppy_tcp(struct netns_ipvs *ipvs)

{

	return DEFAULT_SLOPPY_TCP;

}



static inline int sysctl_sloppy_sctp(struct netns_ipvs *ipvs)

{

	return DEFAULT_SLOPPY_SCTP;

}



static inline int sysctl_sync_ports(struct netns_ipvs *ipvs)

{

	return 1;

}



static inline int sysctl_sync_persist_mode(struct netns_ipvs *ipvs)

{

	return 0;

}



static inline unsigned long sysctl_sync_qlen_max(struct netns_ipvs *ipvs)

{

	return IPVS_SYNC_QLEN_MAX;

include/net/net_namespace.h

+2 −0
Original line number Diff line number Diff line
@@ -115,7 +115,9 @@ struct net { 
#ifdef CONFIG_XFRM

	struct netns_xfrm	xfrm;

#endif

#if IS_ENABLED(CONFIG_IP_VS)

	struct netns_ipvs	*ipvs;

#endif

	struct sock		*diag_nlsk;

	atomic_t		rt_genid;

	atomic_t		fnhe_genid;

include/uapi/linux/ip_vs.h

+6 −0
Original line number Diff line number Diff line
@@ -20,6 +20,12 @@ 
#define IP_VS_SVC_F_PERSISTENT	0x0001		/* persistent port */

#define IP_VS_SVC_F_HASHED	0x0002		/* hashed entry */

#define IP_VS_SVC_F_ONEPACKET	0x0004		/* one-packet scheduling */

#define IP_VS_SVC_F_SCHED1	0x0008		/* scheduler flag 1 */

#define IP_VS_SVC_F_SCHED2	0x0010		/* scheduler flag 2 */

#define IP_VS_SVC_F_SCHED3	0x0020		/* scheduler flag 3 */



#define IP_VS_SVC_F_SCHED_SH_FALLBACK	IP_VS_SVC_F_SCHED1 /* SH fallback */

#define IP_VS_SVC_F_SCHED_SH_PORT	IP_VS_SVC_F_SCHED2 /* SH use port */



/*

 *      Destination Server Flags

include/uapi/linux/netfilter/nfnetlink_queue.h

+2 −0
Original line number Diff line number Diff line
@@ -105,5 +105,7 @@ enum nfqnl_attr_config { 
#define NFQA_SKB_CSUMNOTREADY (1 << 0)

/* packet is GSO (i.e., exceeds device mtu) */

#define NFQA_SKB_GSO (1 << 1)

/* csum not validated (incoming device doesn't support hw checksum, etc.) */

#define NFQA_SKB_CSUM_NOTVERIFIED (1 << 2)



#endif /* _NFNETLINK_QUEUE_H */