[thirdparty/kernel/stable-queue.git] / releases / 4.19.31 / ipvs-fix-dependency-on-nf_defrag_ipv6.patch

From 69c4571e9ff6e3573fedab4c14a4f7f33f3cf52b Mon Sep 17 00:00:00 2001
From: Andrea Claudi <aclaudi@redhat.com>
Date: Mon, 11 Feb 2019 16:14:39 +0100
Subject: ipvs: fix dependency on nf_defrag_ipv6

[ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ]

ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
but lacks proper Kconfig dependencies and does not explicitly
request defrag features.

As a result, if netfilter hooks are not loaded, when IPv6 fragmented
packet are handled by ipvs only the first fragment makes through.

Fix it properly declaring the dependency on Kconfig and registering
netfilter hooks on ip_vs_add_service() and ip_vs_new_dest().

Reported-by: Li Shuang <shuali@redhat.com>
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipvs/Kconfig      |  1 +
 net/netfilter/ipvs/ip_vs_core.c | 10 ++++------
 net/netfilter/ipvs/ip_vs_ctl.c  | 10 ++++++++++
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index cad48d07c818..8401cefd9f65 100644
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -29,6 +29,7 @@ config	IP_VS_IPV6
 	bool "IPv6 support for IPVS"
 	depends on IPV6 = y || IP_VS = IPV6
 	select IP6_NF_IPTABLES
+	select NF_DEFRAG_IPV6
 	---help---
 	  Add IPv6 support to IPVS.
 
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 7ca926a03b81..3f963ea22277 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1536,14 +1536,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
 		/* sorry, all this trouble for a no-hit :) */
 		IP_VS_DBG_PKT(12, af, pp, skb, iph->off,
 			      "ip_vs_in: packet continues traversal as normal");
-		if (iph->fragoffs) {
-			/* Fragment that couldn't be mapped to a conn entry
-			 * is missing module nf_defrag_ipv6
-			 */
-			IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
+
+		/* Fragment couldn't be mapped to a conn entry */
+		if (iph->fragoffs)
 			IP_VS_DBG_PKT(7, af, pp, skb, iph->off,
 				      "unhandled fragment");
-		}
+
 		*verdict = NF_ACCEPT;
 		return 0;
 	}
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 55a77314340a..8fd8d06454d6 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -43,6 +43,7 @@
 #ifdef CONFIG_IP_VS_IPV6
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
+#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
 #endif
 #include <net/route.h>
 #include <net/sock.h>
@@ -895,6 +896,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
 {
 	struct ip_vs_dest *dest;
 	unsigned int atype, i;
+	int ret = 0;
 
 	EnterFunction(2);
 
@@ -905,6 +907,10 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
 			atype & IPV6_ADDR_LINKLOCAL) &&
 			!__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6))
 			return -EINVAL;
+
+		ret = nf_defrag_ipv6_enable(svc->ipvs->net);
+		if (ret)
+			return ret;
 	} else
 #endif
 	{
@@ -1228,6 +1234,10 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
 			ret = -EINVAL;
 			goto out_err;
 		}
+
+		ret = nf_defrag_ipv6_enable(ipvs->net);
+		if (ret)
+			goto out_err;
 	}
 #endif
 
-- 
2.19.1
Commit	Line	Data
36e3f504 SL	1	From 69c4571e9ff6e3573fedab4c14a4f7f33f3cf52b Mon Sep 17 00:00:00 2001
	2	From: Andrea Claudi <aclaudi@redhat.com>
	3	Date: Mon, 11 Feb 2019 16:14:39 +0100
	4	Subject: ipvs: fix dependency on nf_defrag_ipv6
	5
	6	[ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ]
	7
	8	ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
	9	but lacks proper Kconfig dependencies and does not explicitly
	10	request defrag features.
	11
	12	As a result, if netfilter hooks are not loaded, when IPv6 fragmented
	13	packet are handled by ipvs only the first fragment makes through.
	14
	15	Fix it properly declaring the dependency on Kconfig and registering
	16	netfilter hooks on ip_vs_add_service() and ip_vs_new_dest().
	17
	18	Reported-by: Li Shuang <shuali@redhat.com>
	19	Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
	20	Acked-by: Julian Anastasov <ja@ssi.bg>
	21	Acked-by: Simon Horman <horms@verge.net.au>
	22	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	23	Signed-off-by: Sasha Levin <sashal@kernel.org>
	24	---
	25	net/netfilter/ipvs/Kconfig \| 1 +
	26	net/netfilter/ipvs/ip_vs_core.c \| 10 ++++------
	27	net/netfilter/ipvs/ip_vs_ctl.c \| 10 ++++++++++
	28	3 files changed, 15 insertions(+), 6 deletions(-)
	29
	30	diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
	31	index cad48d07c818..8401cefd9f65 100644
	32	--- a/net/netfilter/ipvs/Kconfig
	33	+++ b/net/netfilter/ipvs/Kconfig
	34	@@ -29,6 +29,7 @@ config IP_VS_IPV6
	35	bool "IPv6 support for IPVS"
	36	depends on IPV6 = y \|\| IP_VS = IPV6
	37	select IP6_NF_IPTABLES
	38	+ select NF_DEFRAG_IPV6
	39	---help---
	40	Add IPv6 support to IPVS.
	41
	42	diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
	43	index 7ca926a03b81..3f963ea22277 100644
	44	--- a/net/netfilter/ipvs/ip_vs_core.c
	45	+++ b/net/netfilter/ipvs/ip_vs_core.c
	46	@@ -1536,14 +1536,12 @@ ip_vs_try_to_schedule(struct netns_ipvs ipvs, int af, struct sk_buff skb,
	47	/* sorry, all this trouble for a no-hit :) */
	48	IP_VS_DBG_PKT(12, af, pp, skb, iph->off,
	49	"ip_vs_in: packet continues traversal as normal");
	50	- if (iph->fragoffs) {
	51	- /* Fragment that couldn't be mapped to a conn entry
	52	- * is missing module nf_defrag_ipv6
	53	- */
	54	- IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
	55	+
	56	+ /* Fragment couldn't be mapped to a conn entry */
	57	+ if (iph->fragoffs)
	58	IP_VS_DBG_PKT(7, af, pp, skb, iph->off,
	59	"unhandled fragment");
	60	- }
	61	+
	62	*verdict = NF_ACCEPT;
	63	return 0;
	64	}
65	diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
66	index 55a77314340a..8fd8d06454d6 100644
67	--- a/net/netfilter/ipvs/ip_vs_ctl.c
68	+++ b/net/netfilter/ipvs/ip_vs_ctl.c
69	@@ -43,6 +43,7 @@
70	#ifdef CONFIG_IP_VS_IPV6
71	#include <net/ipv6.h>
72	#include <net/ip6_route.h>
73	+#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
74	#endif
75	#include <net/route.h>
76	#include <net/sock.h>
77	@@ -895,6 +896,7 @@ ip_vs_new_dest(struct ip_vs_service svc, struct ip_vs_dest_user_kern udest,
78	{
79	struct ip_vs_dest *dest;
80	unsigned int atype, i;
81	+ int ret = 0;
82
83	EnterFunction(2);
84
85	@@ -905,6 +907,10 @@ ip_vs_new_dest(struct ip_vs_service svc, struct ip_vs_dest_user_kern udest,
86	atype & IPV6_ADDR_LINKLOCAL) &&
87	!__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6))
88	return -EINVAL;
89	+
90	+ ret = nf_defrag_ipv6_enable(svc->ipvs->net);
91	+ if (ret)
92	+ return ret;
93	} else
94	#endif
95	{
96	@@ -1228,6 +1234,10 @@ ip_vs_add_service(struct netns_ipvs ipvs, struct ip_vs_service_user_kern u,
97	ret = -EINVAL;
98	goto out_err;
99	}
100	+
101	+ ret = nf_defrag_ipv6_enable(ipvs->net);
102	+ if (ret)
103	+ goto out_err;
104	}
105	#endif
106
107	--
108	2.19.1
109