From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 03/30] ipvs: Handle inverse and icmp headers in ip_vs_leave
Date: Tue, 22 Sep 2015 11:13:53 +0200 [thread overview]
Message-ID: <1442913260-3925-4-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1442913260-3925-1-git-send-email-pablo@netfilter.org>
From: Alex Gartrell <agartrell@fb.com>
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
net/netfilter/ipvs/ip_vs_core.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 4f5d3d1..bb998d4 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -519,6 +519,17 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
return cp;
}
+#ifdef CONFIG_SYSCTL
+static inline int ip_vs_addr_is_unicast(struct net *net, int af,
+ union nf_inet_addr *addr)
+{
+#ifdef CONFIG_IP_VS_IPV6
+ if (af == AF_INET6)
+ return ipv6_addr_type(&addr->in6) & IPV6_ADDR_UNICAST;
+#endif
+ return (inet_addr_type(net, addr->ip) == RTN_UNICAST);
+}
+#endif
/*
* Pass or drop the packet.
@@ -528,33 +539,28 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
struct ip_vs_proto_data *pd, struct ip_vs_iphdr *iph)
{
- __be16 _ports[2], *pptr;
+ __be16 _ports[2], *pptr, dport;
#ifdef CONFIG_SYSCTL
struct net *net;
struct netns_ipvs *ipvs;
- int unicast;
#endif
pptr = frag_safe_skb_hp(skb, iph->len, sizeof(_ports), _ports, iph);
- if (pptr == NULL) {
+ if (!pptr)
return NF_DROP;
- }
+ dport = likely(!ip_vs_iph_inverse(iph)) ? pptr[1] : pptr[0];
#ifdef CONFIG_SYSCTL
net = skb_net(skb);
-#ifdef CONFIG_IP_VS_IPV6
- if (svc->af == AF_INET6)
- unicast = ipv6_addr_type(&iph->daddr.in6) & IPV6_ADDR_UNICAST;
- else
-#endif
- unicast = (inet_addr_type(net, iph->daddr.ip) == RTN_UNICAST);
/* if it is fwmark-based service, the cache_bypass sysctl is up
and the destination is a non-local unicast, then create
a cache_bypass connection entry */
ipvs = net_ipvs(net);
- if (ipvs->sysctl_cache_bypass && svc->fwmark && unicast) {
+ if (ipvs->sysctl_cache_bypass && svc->fwmark &&
+ !(iph->hdr_flags & (IP_VS_HDR_INVERSE | IP_VS_HDR_ICMP)) &&
+ ip_vs_addr_is_unicast(net, svc->af, &iph->daddr)) {
int ret;
struct ip_vs_conn *cp;
unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
@@ -598,9 +604,12 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
* listed in the ipvs table), pass the packets, because it is
* not ipvs job to decide to drop the packets.
*/
- if ((svc->port == FTPPORT) && (pptr[1] != FTPPORT))
+ if (svc->port == FTPPORT && dport != FTPPORT)
return NF_ACCEPT;
+ if (unlikely(ip_vs_iph_icmp(iph)))
+ return NF_DROP;
+
/*
* Notify the client that the destination is unreachable, and
* release the socket buffer.
--
1.7.10.4
next prev parent reply other threads:[~2015-09-22 9:13 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-22 9:13 [PATCH 00/30] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 01/30] ipvs: replace ip_vs_fill_ip4hdr with ip_vs_fill_iph_skb_off Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 02/30] ipvs: Add hdr_flags to iphdr Pablo Neira Ayuso
2015-09-22 9:13 ` Pablo Neira Ayuso [this message]
2015-09-22 9:13 ` [PATCH 04/30] ipvs: pull out ip_vs_try_to_schedule function Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 05/30] ipvs: drop inverse argument to conn_{in,out}_get Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 06/30] ipvs: Make ip_vs_schedule aware of inverse iph'es Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 07/30] ipvs: add schedule_icmp sysctl Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 08/30] ipvs: Use outer header in ip_vs_bypass_xmit_v6 Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 09/30] ipvs: sh: support scheduling icmp/inverse packets consistently Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 10/30] ipvs: attempt to schedule icmp packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 11/30] ipvs: ensure that ICMP cannot be sent in reply to ICMP Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 12/30] ipvs: support scheduling inverse and icmp TCP packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 13/30] ipvs: support scheduling inverse and icmp UDP packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 14/30] ipvs: support scheduling inverse and icmp SCTP packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 15/30] ipvs: add sysctl to ignore tunneled packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 16/30] netfilter: ebtables: Simplify the arguments to ebt_do_table Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 17/30] inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 18/30] inet netfilter: Prefer state->hook to ops->hooknum Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 19/30] netfilter: nf_tables: kill nft_pktinfo.ops Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 20/30] netfilter: x_tables: Pass struct net in xt_action_param Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 21/30] netfilter: x_tables: Use par->net instead of computing from the passed net devices Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 22/30] netfilter: nf_tables: Pass struct net in nft_pktinfo Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 23/30] netfilter: nf_tables: Use pkt->net instead of computing net from the passed net_devices Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 24/30] netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv6 Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 25/30] act_connmark: Remember the struct net instead of guessing it Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 26/30] netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 27/30] ipvs: Read hooknum from state rather than ops->hooknum Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 28/30] netfilter: Pass priv instead of nf_hook_ops to netfilter hooks Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 29/30] netfilter: Pass net into nf_xfrm_me_harder Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 30/30] netfilter: Use nf_ct_net instead of dev_net(out) in nf_nat_masquerade_ipv6 Pablo Neira Ayuso
2015-09-22 20:12 ` [PATCH 00/30] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1442913260-3925-4-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).