projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 345c7afc SL |
1 | From 1e2497404b2f5ce3876101ea6b51eb68f187b038 Mon Sep 17 00:00:00 2001 |
| 2 | From: Julian Anastasov <ja@ssi.bg> | |
| 3 | Date: Sun, 31 Mar 2019 13:24:52 +0300 | |
| 4 | Subject: ipvs: do not schedule icmp errors from tunnels | |
| 5 | ||
| 6 | [ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] | |
| 7 | ||
| 8 | We can receive ICMP errors from client or from | |
| 9 | tunneling real server. While the former can be | |
| 10 | scheduled to real server, the latter should | |
| 11 | not be scheduled, they are decapsulated only when | |
| 12 | existing connection is found. | |
| 13 | ||
| 14 | Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") | |
| 15 | Signed-off-by: Julian Anastasov <ja@ssi.bg> | |
| 16 | Signed-off-by: Simon Horman <horms@verge.net.au> | |
| 17 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | |
| 18 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
| 19 | --- | |
| 20 | net/netfilter/ipvs/ip_vs_core.c | 2 +- | |
| 21 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
| 22 | ||
| 23 | diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c | |
| 24 | index ac212542a2178..c4509a10ce52f 100644 | |
| 25 | --- a/net/netfilter/ipvs/ip_vs_core.c | |
| 26 | +++ b/net/netfilter/ipvs/ip_vs_core.c | |
| 27 | @@ -1484,7 +1484,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, | |
| 28 | if (!cp) { | |
| 29 | int v; | |
| 30 | ||
| 31 | - if (!sysctl_schedule_icmp(ipvs)) | |
| 32 | + if (ipip || !sysctl_schedule_icmp(ipvs)) | |
| 33 | return NF_ACCEPT; | |
| 34 | ||
| 35 | if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) | |
| 36 | -- | |
| 37 | 2.20.1 | |
| 38 |