[thirdparty/kernel/stable-queue.git] / releases / 4.9.177 / ipvs-do-not-schedule-icmp-errors-from-tunnels.patch

From aac1b07909352dcd28f63d1b1d36379451fc63d6 Mon Sep 17 00:00:00 2001
From: Julian Anastasov <ja@ssi.bg>
Date: Sun, 31 Mar 2019 13:24:52 +0300
Subject: ipvs: do not schedule icmp errors from tunnels

[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]

We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.

Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipvs/ip_vs_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index fd186b011a999..8475e8692ff04 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1643,7 +1643,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
 	if (!cp) {
 		int v;
 
-		if (!sysctl_schedule_icmp(ipvs))
+		if (ipip || !sysctl_schedule_icmp(ipvs))
 			return NF_ACCEPT;
 
 		if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
-- 
2.20.1
Commit	Line	Data
27d6b7f2 SL	1	From aac1b07909352dcd28f63d1b1d36379451fc63d6 Mon Sep 17 00:00:00 2001
	2	From: Julian Anastasov <ja@ssi.bg>
	3	Date: Sun, 31 Mar 2019 13:24:52 +0300
	4	Subject: ipvs: do not schedule icmp errors from tunnels
	5
	6	[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]
	7
	8	We can receive ICMP errors from client or from
	9	tunneling real server. While the former can be
	10	scheduled to real server, the latter should
	11	not be scheduled, they are decapsulated only when
	12	existing connection is found.
	13
	14	Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
	15	Signed-off-by: Julian Anastasov <ja@ssi.bg>
	16	Signed-off-by: Simon Horman <horms@verge.net.au>
	17	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	18	Signed-off-by: Sasha Levin <sashal@kernel.org>
	19	---
	20	net/netfilter/ipvs/ip_vs_core.c \| 2 +-
	21	1 file changed, 1 insertion(+), 1 deletion(-)
	22
	23	diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
	24	index fd186b011a999..8475e8692ff04 100644
	25	--- a/net/netfilter/ipvs/ip_vs_core.c
	26	+++ b/net/netfilter/ipvs/ip_vs_core.c
	27	@@ -1643,7 +1643,7 @@ ip_vs_in_icmp(struct netns_ipvs ipvs, struct sk_buff skb, int *related,
	28	if (!cp) {
	29	int v;
	30
	31	- if (!sysctl_schedule_icmp(ipvs))
	32	+ if (ipip \|\| !sysctl_schedule_icmp(ipvs))
	33	return NF_ACCEPT;
	34
	35	if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
	36	--
	37	2.20.1
	38