Martin Schwenke [Tue, 15 Oct 2024 03:11:15 +0000 (14:11 +1100)]
ctdb-scripts: Don't set arp_filter=1 by default in 10.interface
That is, no longer set sysctl net.ipv4.conf.all.arp_filter=1 in
10.interface. Only do this in 13.per_ip_routing.
This effectively reverts commit 0ebd7beb4bcae324acf8e733500a983d22b47e9b by Ronnie Sahlberg from 2007.
I have discussed this with Ronnie. This setting was originally added
to force incoming traffic to the interface hosting each IP. This
would spread the load across multiple interfaces hosting the same
subnet. Without the setting, incoming traffic would go to the first
interface to answer an ARP request, so could be unbalanced if one
interface tended to answer more quickly.
However, networks are now faster and interface bonding/teaming works
well in Linux, so it is less likely that multiple interfaces will be
used in this way.
Also, problems are occurring in exactly the case this is meant to
help: when multiple interfaces host the same subnet.
The Linux kernel documentation for this option says:
arp_filter - BOOLEAN
- 1 - Allows you to have multiple network interfaces on the same
subnet, and have the ARPs for each interface be answered
based on whether or not the kernel would route a packet from
the ARP'd IP out that interface (therefore you must use source
based routing for this to work). In other words it allows control
of which cards (usually 1) will respond to an arp request.
- 0 - (default) The kernel can respond to arp requests with addresses
from other interfaces. This may seem wrong but it usually makes
sense, because it increases the chance of successful communication.
IP addresses are owned by the complete host on Linux, not by
particular interfaces. Only for more complex setups like load-
balancing, does this behaviour cause problems.
arp_filter for the interface will be enabled if at least one of
conf/{all,interface}/arp_filter is set to TRUE,
it will be disabled otherwise
Note the part for arp_filter=1 that says "you must use source based
routing for this to work". The problems are probably due to a lack of
source-based routing when this is only used with 10.interface. In
this case, outbound packets can come from a different
interface (corresponding to the first matching route), with a
different MAC address. There is clearly some infrastructure or packet
filtering out there that objects to such asymmetric packet flows.
So, drop this setting from 10.interface because it isn't working as
intended. Continue to enable it in 13.per_ip_routing, which exists to
set up the required source-based routing.
This change may affect balancing of packet flows when public IP
addresses can be hosted by multiple interfaces, but does not stop that
feature from working.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Oct 17 18:53:32 UTC 2024 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 16 19:05:15 UTC 2024 on atb-devel-224
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Oct 14 12:23:04 UTC 2024 on atb-devel-224
smbtorture: Allow debugging output to be configured using smb.conf parameters
It might be useful to see timestamps for some smbtorture tests.
Timestamps can be printed via 'debug syslog format=always'.
It can be specified either in smb.conf or directly via smbtorture option
-T 'OPTION=VALUE' smb.conf option line
However, smbtorture is not evaluating the option. It needs to call
reopen_logs()->debug_set_settings() to copy
'Globals.debug_syslog_format' to 'state->settings.debug_syslog_format'
dbwrap_lock_order_unlock: release lock order 3 for /home/pfilipen/ws/projects/samba/smbtorture/st/client/lockdir/g_lock.tdb
waited
child 2473726 exited with 0
g_lock_lock_retry: watch_recv returned NT_STATUS_OK
After (see 1 sec delay):
2024-10-13T21:26:56.476859+00:00 addc.addom.samba.example.com smbtorture[2473806]: dbwrap_lock_order_unlock: release lock order 3 for /home/pfilipen/ws/projects/samba/smbtorture/st/client/lockdir/g_lock.tdb
waited
child 2473807 exited with 0
2024-10-13T21:26:57.487363+00:00 addc.addom.samba.example.com smbtorture[2473806]: g_lock_lock_retry: watch_recv returned NT_STATUS_OK
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 10 15:17:46 UTC 2024 on atb-devel-224
dcesrv_core: fix the auth3 for large ntlmssp messages
I know finding any real logic in reading the patch,
doesn't really show what's going on. I tried hard
to simplify it, but this is the only way I found
that fixed the test_auth_pad_ntlm_2889_auth3 test
without breaking other tests...
dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3
Sometimes Windows sends 3 presentation contexts (NDR32, NDR64,
BindTimeFeatureNegotiation) in the first BIND of an association.
Binding an additional connection to the association seems to
reuse the BIND buffer and just changes the num_contexts field from
3 to 2 and leaves the BindTimeFeatureNegotiation context as padding
in places.
Note, the auth_pad_length field is send as 0 in that case,
which means we need to ignore it completely, as well as any
padding before the auth header.
tests/dcerpc/raw_protocol: test invalid schannel binds
Note the ad_member will keep these as expected failures,
as it doesn't provide the netlogon service,
while the knownfail for the ADDC is only temporary.
tests/dcerpc/raw_protocol: add more test for auth padding during ALTER_CONTEXT/AUTH3
The aim is to keep testing the code paths, which are no longer
testing because allow_bind_auth_pad is false now, which
means the existing tests fail directly at the BIND,
but we also want to test the error handling on
ALTER_CONTEXT (and AUTH3).
dcesrv_core: disconnect after a fault with non AUTH_LEVEL_CONNECT bind
Without an auth context using DCERPC_AUTH_LEVEL_PACKET or higher
the fault to reject requests with an invalid auth level
should trigger a disconnect after sending the fault to
the client.
s4:selftest: only run ad_member with AUTH_LEVEL_CONNECT_LSA=1
We only want to test against
'allow dcerpc auth level connect:lsarpc = yes' once
in order to have the related code tests.
We use the ad_memeber for that special test and
use the default on the tested ADDC.
This reveals some knownfails, which will be fixed in
the next commit...
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Oct 10 13:59:18 UTC 2024 on atb-devel-224
s3:smbd: allow reset_share_mode_entry() to handle more than one durable handle
This means that multiple durable handles with RH leases can
co-exist now... Before only the last remaining durable handle
was able to pass the SMB_VFS_DURABLE_DISCONNECT() step.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Oct 8 12:27:17 UTC 2024 on atb-devel-224
Martin Schwenke [Thu, 29 Aug 2024 08:38:58 +0000 (18:38 +1000)]
ctdb-server: Use find_public_ip_vnn() in a couple of extra places
Reorder code to use early returns, modernise debug.
Best reviewed with "git show -w".
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Oct 8 06:42:04 UTC 2024 on atb-devel-224
Martin Schwenke [Fri, 9 Aug 2024 00:53:46 +0000 (10:53 +1000)]
ctdb-daemon: Ensure CTDB_BASE is set, don't fetch it
Uses of CTDB_BASE in the subsequent code are now handled by the path
module, so there is no point getting the value of CTDB_BASE. Instead,
check that the attempt to set it worked, noting that:
[...] if overwrite is zero, then the value of name is not
changed (and setenv() returns a success status).
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Martin Schwenke [Thu, 25 Jul 2024 04:47:06 +0000 (14:47 +1000)]
ctdb-daemon: Add ctdb_vnn_address_string() and use in trivial places
Define a static function to return the string. This clearly doesn't
need a ctdb_ prefix, but it matches ctdb_vnn_iface_string(), so
doesn't look out of place.
Use it in the places where review is trivial.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Martin Schwenke [Thu, 25 Jul 2024 04:40:18 +0000 (14:40 +1000)]
ctdb-daemon: Store public address string in VNN
These are currently converted to strings constantly in log messages
and other places. This clutters the code and probably has a minor
performance impact.
Add a new string field to the VNN structure. Populate it when a
public address is added and the VNN structure is allocated. This is
consistent with how node addresses are handled.
Don't use it yet, or this commit becomes huge.
A short-term goal is that each VNN public address will be converted to
a string only once. A longer-term goal is to reduce use of
ctdb_addr_to_str().
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
projects / thirdparty / samba.git / log
