ipvs: add assured state for conn templates

cp->state was not used for templates. Add support for state bits and for the first "assured" bit which indicates that some connection controlled by this template was established or assured by the real server. In a followup patch we will use it to drop templates under SYN attack. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Julian Anastasov <ja@ssi.bg> 2018-07-06 08:25:53 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-07-18 11:26:40 +0200
commit: 275411430f892407b885be1de2548b2e632892c3 (patch)
tree: f0e79459f0efcb3be42eaebfe03581b093f91d21 /net/netfilter/ipvs/ip_vs_proto_tcp.c
parent: ec1b28ca9674def4a158808a6493bdb87b993d81 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/ipvs/ip_vs_proto_tcp.c b/net/netfilter/ipvs/ip_vs_proto_tcp.c
index 80d10ad12a15..1770fc6ce960 100644
--- a/net/netfilter/ipvs/ip_vs_proto_tcp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c
@@ -569,6 +569,8 @@ set_tcp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
 				cp->flags &= ~IP_VS_CONN_F_INACTIVE;
 			}
 		}
+		if (new_state == IP_VS_TCP_S_ESTABLISHED)
+			ip_vs_control_assure_ct(cp);
 	}
 
 	if (likely(pd))
author	Julian Anastasov <ja@ssi.bg>	2018-07-06 08:25:53 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-07-18 11:26:40 +0200
commit	275411430f892407b885be1de2548b2e632892c3 (patch)
tree	f0e79459f0efcb3be42eaebfe03581b093f91d21 /net/netfilter/ipvs/ip_vs_proto_tcp.c
parent	ec1b28ca9674def4a158808a6493bdb87b993d81 (diff)