[thirdparty/kernel/stable-queue.git] / releases / 4.9.11 / tcp-fix-mark-propagation-with-fwmark_reflect-enabled.patch

From bf99b4ded5f8a4767dbb9d180626f06c51f9881f Mon Sep 17 00:00:00 2001
From: Pau Espin Pedrol <pespin.shar@gmail.com>
Date: Fri, 6 Jan 2017 20:33:28 +0100
Subject: tcp: fix mark propagation with fwmark_reflect enabled

From: Pau Espin Pedrol <pespin.shar@gmail.com>

commit bf99b4ded5f8a4767dbb9d180626f06c51f9881f upstream.

Otherwise, RST packets generated by the TCP stack for non-existing
sockets always have mark 0.
The mark from the original packet is assigned to the netns_ipv4/6
socket used to send the response so that it can get copied into the
response skb when the socket sends it.

Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/ip_output.c |    1 +
 net/ipv6/tcp_ipv6.c  |    1 +
 2 files changed, 2 insertions(+)

--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1606,6 +1606,7 @@ void ip_send_unicast_reply(struct sock *
 	sk->sk_protocol = ip_hdr(skb)->protocol;
 	sk->sk_bound_dev_if = arg->bound_dev_if;
 	sk->sk_sndbuf = sysctl_wmem_default;
+	sk->sk_mark = fl4.flowi4_mark;
 	err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
 			     len, 0, &ipc, &rt, MSG_DONTWAIT);
 	if (unlikely(err)) {
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -837,6 +837,7 @@ static void tcp_v6_send_response(const s
 	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
 	if (!IS_ERR(dst)) {
 		skb_dst_set(buff, dst);
+		ctl_sk->sk_mark = fl6.flowi6_mark;
 		ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
 		TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
 		if (rst)
Commit	Line	Data
6b06d5d7 GKH	1	From bf99b4ded5f8a4767dbb9d180626f06c51f9881f Mon Sep 17 00:00:00 2001
	2	From: Pau Espin Pedrol <pespin.shar@gmail.com>
	3	Date: Fri, 6 Jan 2017 20:33:28 +0100
	4	Subject: tcp: fix mark propagation with fwmark_reflect enabled
	5
	6	From: Pau Espin Pedrol <pespin.shar@gmail.com>
	7
	8	commit bf99b4ded5f8a4767dbb9d180626f06c51f9881f upstream.
	9
	10	Otherwise, RST packets generated by the TCP stack for non-existing
	11	sockets always have mark 0.
	12	The mark from the original packet is assigned to the netns_ipv4/6
	13	socket used to send the response so that it can get copied into the
	14	response skb when the socket sends it.
	15
	16	Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
	17	Cc: Lorenzo Colitti <lorenzo@google.com>
	18	Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
	19	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	net/ipv4/ip_output.c \| 1 +
	24	net/ipv6/tcp_ipv6.c \| 1 +
	25	2 files changed, 2 insertions(+)
	26
	27	--- a/net/ipv4/ip_output.c
	28	+++ b/net/ipv4/ip_output.c
	29	@@ -1606,6 +1606,7 @@ void ip_send_unicast_reply(struct sock *
	30	sk->sk_protocol = ip_hdr(skb)->protocol;
	31	sk->sk_bound_dev_if = arg->bound_dev_if;
	32	sk->sk_sndbuf = sysctl_wmem_default;
	33	+ sk->sk_mark = fl4.flowi4_mark;
	34	err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
	35	len, 0, &ipc, &rt, MSG_DONTWAIT);
	36	if (unlikely(err)) {
	37	--- a/net/ipv6/tcp_ipv6.c
	38	+++ b/net/ipv6/tcp_ipv6.c
	39	@@ -837,6 +837,7 @@ static void tcp_v6_send_response(const s
	40	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
	41	if (!IS_ERR(dst)) {
	42	skb_dst_set(buff, dst);
	43	+ ctl_sk->sk_mark = fl6.flowi6_mark;
	44	ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
	45	TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
	46	if (rst)