Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed

Mon, 14 May 2007 03:25:29 -0700 

Linux Kernel Mailing List wrote:
> Gitweb:     
> http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2d771cd86d4c3af26f34a7bcdc1b87696824cad9
> Commit:     2d771cd86d4c3af26f34a7bcdc1b87696824cad9
> 
>     [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers 
> are removed
>     
>     this is a small patch by Janusz Krzysztofik to ip_route_output_slow()
>     that allows VIP-less LVS linux director to generate packets
>     originating >From VIP if sysctl_ip_nonlocal_bind is set.
>     
>     In a nutshell, the intention is for an LVS linux director to be able
>     to send ICMP unreachable responses to end-users when real-servers are
>     removed.
>     
>     http://archive.linuxvirtualserver.org/html/lvs-users/2007-01/msg00106.html
>     
>     Signed-off-by: Simon Horman <[EMAIL PROTECTED]>
>     Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
> ---
>  net/ipv4/route.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index df9fe4f..cb76e3c 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -2396,7 +2396,7 @@ static int ip_route_output_slow(struct rtable **rp, 
> const struct flowi *oldflp)
>  
>               /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
>               dev_out = ip_dev_find(oldflp->fl4_src);
> -             if (dev_out == NULL)
> +             if ((dev_out == NULL) && !(sysctl_ip_nonlocal_bind))
>                       goto out;


This allows any user to send spoofed packets when ip_nonlocal_bind
is set, which is a quite big change in behaviour of this option.
The TPROXY patches include a similar change, but use a flag in
struct flowi that requires CAP_NET_ADMIN to be set, which seems like
a better idea. Alternatively you could just use input routing for
non-local source addresses like ip_route_me_harder does.

BTW, there doesn't even seem to be a spot where IPVS calls
ip_route_output with the source address set. What exactly is this
needed for?

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to