[PATCHv2,net-next,0/3] Drop IPVS conn templates under attack

This patchset changes how templates are dropped under attack.

Patch 1 changes ip_vs_state_name arguments, so that we can
print in followup patch info by using just state.

Patch 2 implements assured flag for connection templates to
indicate that connection progressed after initial packet.

Patch 3 uses the assured state to decide if to drop connection
templates under attack.

The patchset is based on implementation from Michal Koutný but
extended to other protocols. The other difference is that we
use cp->state for template flags because there are no many
free bits in cp->flags that are sent in the sync protocol
messages.

v1->v2:
- first patch in v1 was split to patches 1 and 2
- in patch 2 do not clear unknown bits in the state received by backup server

Julian Anastasov (3):
  ipvs: provide just conn to ip_vs_state_name
  ipvs: add assured state for conn templates
  ipvs: drop conn templates under attack

 include/net/ip_vs.h                   | 18 +++++++++-
 net/netfilter/ipvs/ip_vs_conn.c       | 67 ++++++++++++++++++++++-------------
 net/netfilter/ipvs/ip_vs_proto.c      | 19 ++++++++--
 net/netfilter/ipvs/ip_vs_proto_sctp.c |  2 ++
 net/netfilter/ipvs/ip_vs_proto_tcp.c  |  2 ++
 net/netfilter/ipvs/ip_vs_proto_udp.c  |  2 ++
 net/netfilter/ipvs/ip_vs_sync.c       | 18 ++++------
 7 files changed, 88 insertions(+), 40 deletions(-)

On Fri, Jul 06, 2018 at 08:25:51AM +0300, Julian Anastasov wrote:
> This patchset changes how templates are dropped under attack.
> 
> Patch 1 changes ip_vs_state_name arguments, so that we can
> print in followup patch info by using just state.
> 
> Patch 2 implements assured flag for connection templates to
> indicate that connection progressed after initial packet.
> 
> Patch 3 uses the assured state to decide if to drop connection
> templates under attack.
> 
> The patchset is based on implementation from Michal Koutný but
> extended to other protocols. The other difference is that we
> use cp->state for template flags because there are no many
> free bits in cp->flags that are sent in the sync protocol
> messages.
> 
> v1->v2:
> - first patch in v1 was split to patches 1 and 2
> - in patch 2 do not clear unknown bits in the state received by backup server

Sorry for the delay. This looks good to me.

Reviewed-by: Simon Horman <horms+renesas@verge.net.au>

Pablo, could you take this through nf-next?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Tue, Jul 17, 2018 at 02:34:21PM +0200, Simon Horman wrote:
> On Fri, Jul 06, 2018 at 08:25:51AM +0300, Julian Anastasov wrote:
> > This patchset changes how templates are dropped under attack.
> > 
> > Patch 1 changes ip_vs_state_name arguments, so that we can
> > print in followup patch info by using just state.
> > 
> > Patch 2 implements assured flag for connection templates to
> > indicate that connection progressed after initial packet.
> > 
> > Patch 3 uses the assured state to decide if to drop connection
> > templates under attack.
> > 
> > The patchset is based on implementation from Michal Koutný but
> > extended to other protocols. The other difference is that we
> > use cp->state for template flags because there are no many
> > free bits in cp->flags that are sent in the sync protocol
> > messages.
> > 
> > v1->v2:
> > - first patch in v1 was split to patches 1 and 2
> > - in patch 2 do not clear unknown bits in the state received by backup server
> 
> Sorry for the delay. This looks good to me.
> 
> Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
> 
> Pablo, could you take this through nf-next?

Sure, will do asap, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Fri, Jul 06, 2018 at 08:25:51AM +0300, Julian Anastasov wrote:
> This patchset changes how templates are dropped under attack.
> 
> Patch 1 changes ip_vs_state_name arguments, so that we can
> print in followup patch info by using just state.
> 
> Patch 2 implements assured flag for connection templates to
> indicate that connection progressed after initial packet.
> 
> Patch 3 uses the assured state to decide if to drop connection
> templates under attack.
> 
> The patchset is based on implementation from Michal Koutný but
> extended to other protocols. The other difference is that we
> use cp->state for template flags because there are no many
> free bits in cp->flags that are sent in the sync protocol
> messages.

Series applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Tue, Jul 17, 2018 at 03:09:02PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 06, 2018 at 08:25:51AM +0300, Julian Anastasov wrote:
> > This patchset changes how templates are dropped under attack.
> > 
> > Patch 1 changes ip_vs_state_name arguments, so that we can
> > print in followup patch info by using just state.
> > 
> > Patch 2 implements assured flag for connection templates to
> > indicate that connection progressed after initial packet.
> > 
> > Patch 3 uses the assured state to decide if to drop connection
> > templates under attack.
> > 
> > The patchset is based on implementation from Michal Koutný but
> > extended to other protocols. The other difference is that we
> > use cp->state for template flags because there are no many
> > free bits in cp->flags that are sent in the sync protocol
> > messages.
> 
> Series applied, thanks!

Great, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html