From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9F14C04E53 for ; Wed, 15 May 2019 11:09:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 786CF2168B for ; Wed, 15 May 2019 11:09:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557918542; bh=dD4fhW168AdKJCchOKJvt6o/+X1EFPh1x/2GW8Rt40M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ii9R1eQOSNPBu1NmWw/33VPn9Zkdxgdj7m6OF/wX4Rqyiilg/8T2ka7+d5aw+N0UL I0zvPagMMpfpKCh4QtFJQl2mt3rtLQHzXhpE9GZYJgJOQo4PMkzoc4UeTMZxsQPsW2 Efb6GRU0TED4qTeewoHjFhECNWgclv68FjPUzLVQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729190AbfEOLJB (ORCPT ); Wed, 15 May 2019 07:09:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:41624 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728930AbfEOLI6 (ORCPT ); Wed, 15 May 2019 07:08:58 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4B2612084F; Wed, 15 May 2019 11:08:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557918537; bh=dD4fhW168AdKJCchOKJvt6o/+X1EFPh1x/2GW8Rt40M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XEq9huOcJzKPcEs8nW/H7oiShL8N3glASBOEc+En1ADcVHiRF0E5pfl0t28U4mwW+ 3jw1qsI+0hpyJwUjo0McTikZyjFCmmxCDhTGG/v0MxzmOc+TbB0vneLsxzIpZnBJgI +BVnVsKrQzB2wZlbUApgeRio+F/Ho688Jw6T1ZJ0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.4 171/266] ipvs: do not schedule icmp errors from tunnels Date: Wed, 15 May 2019 12:54:38 +0200 Message-Id: <20190515090728.706515181@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090722.696531131@linuxfoundation.org> References: <20190515090722.696531131@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/ipvs/ip_vs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index ac212542a2178..c4509a10ce52f 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1484,7 +1484,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, if (!cp) { int v; - if (!sysctl_schedule_icmp(ipvs)) + if (ipip || !sysctl_schedule_icmp(ipvs)) return NF_ACCEPT; if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) -- 2.20.1