| Message ID | 20200515013556.5582-1-kim.andrewsy@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | netfilter/ipvs: expire no destination UDP connections when expire_nodest_conn=1 | expand |
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index aa6a603a2425..f0535586fe75 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -2116,8 +2116,7 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int else ip_vs_conn_put(cp); - if (sysctl_expire_nodest_conn(ipvs) && - !(flags & IP_VS_CONN_F_ONE_PACKET)) { + if (sysctl_expire_nodest_conn(ipvs)) { /* try to expire the connection immediately */ ip_vs_conn_expire_now(cp); }
When expire_nodest_conn=1 and an IPVS destination is deleted, IPVS doesn't expire connections with the IP_VS_CONN_F_ONE_PACKET flag set (any UDP connection). If there are many UDP packets to a virtual server from a single client and a destination is deleted, many packets are silently dropped whenever an existing connection entry with the same source port exists. This patch ensures IPVS also expires UDP connections when a packet matches an existing connection with no destinations. Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com> --- net/netfilter/ipvs/ip_vs_core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)