releases/4.19.31/ipvs-fix-dependency-on-nf_defrag_ipv6.patch

   1 From 69c4571e9ff6e3573fedab4c14a4f7f33f3cf52b Mon Sep 17 00:00:00 2001
   2 From: Andrea Claudi <aclaudi@redhat.com>
   3 Date: Mon, 11 Feb 2019 16:14:39 +0100
   4 Subject: ipvs: fix dependency on nf_defrag_ipv6
   5
   6 [ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ]
   7
   8 ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
   9 but lacks proper Kconfig dependencies and does not explicitly
  10 request defrag features.
  11
  12 As a result, if netfilter hooks are not loaded, when IPv6 fragmented
  13 packet are handled by ipvs only the first fragment makes through.
  14
  15 Fix it properly declaring the dependency on Kconfig and registering
  16 netfilter hooks on ip_vs_add_service() and ip_vs_new_dest().
  17
  18 Reported-by: Li Shuang <shuali@redhat.com>
  19 Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
  20 Acked-by: Julian Anastasov <ja@ssi.bg>
  21 Acked-by: Simon Horman <horms@verge.net.au>
  22 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  23 Signed-off-by: Sasha Levin <sashal@kernel.org>
  24 ---
  25  net/netfilter/ipvs/Kconfig      |  1 +
  26  net/netfilter/ipvs/ip_vs_core.c | 10 ++++------
  27  net/netfilter/ipvs/ip_vs_ctl.c  | 10 ++++++++++
  28  3 files changed, 15 insertions(+), 6 deletions(-)
  29
  30 diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
  31 index cad48d07c818..8401cefd9f65 100644
  32 --- a/net/netfilter/ipvs/Kconfig
  33 +++ b/net/netfilter/ipvs/Kconfig
  34 @@ -29,6 +29,7 @@ config        IP_VS_IPV6
  35         bool "IPv6 support for IPVS"
  36         depends on IPV6 = y || IP_VS = IPV6
  37         select IP6_NF_IPTABLES
  38 +       select NF_DEFRAG_IPV6
  39         ---help---
  40           Add IPv6 support to IPVS.
  41
  42 diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
  43 index 7ca926a03b81..3f963ea22277 100644
  44 --- a/net/netfilter/ipvs/ip_vs_core.c
  45 +++ b/net/netfilter/ipvs/ip_vs_core.c
  46 @@ -1536,14 +1536,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
  47                 /* sorry, all this trouble for a no-hit :) */
  48                 IP_VS_DBG_PKT(12, af, pp, skb, iph->off,
  49                               "ip_vs_in: packet continues traversal as normal");
  50 -               if (iph->fragoffs) {
  51 -                       /* Fragment that couldn't be mapped to a conn entry
  52 -                        * is missing module nf_defrag_ipv6
  53 -                        */
  54 -                       IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
  55 +
  56 +               /* Fragment couldn't be mapped to a conn entry */
  57 +               if (iph->fragoffs)
  58                         IP_VS_DBG_PKT(7, af, pp, skb, iph->off,
  59                                       "unhandled fragment");
  60 -               }
  61 +
  62                 *verdict = NF_ACCEPT;
  63                 return 0;
  64         }
  65 diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
  66 index 55a77314340a..8fd8d06454d6 100644
  67 --- a/net/netfilter/ipvs/ip_vs_ctl.c
  68 +++ b/net/netfilter/ipvs/ip_vs_ctl.c
  69 @@ -43,6 +43,7 @@
  70  #ifdef CONFIG_IP_VS_IPV6
  71  #include <net/ipv6.h>
  72  #include <net/ip6_route.h>
  73 +#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
  74  #endif
  75  #include <net/route.h>
  76  #include <net/sock.h>
  77 @@ -895,6 +896,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
  78  {
  79         struct ip_vs_dest *dest;
  80         unsigned int atype, i;
  81 +       int ret = 0;
  82
  83         EnterFunction(2);
  84
  85 @@ -905,6 +907,10 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
  86                         atype & IPV6_ADDR_LINKLOCAL) &&
  87                         !__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6))
  88                         return -EINVAL;
  89 +
  90 +               ret = nf_defrag_ipv6_enable(svc->ipvs->net);
  91 +               if (ret)
  92 +                       return ret;
  93         } else
  94  #endif
  95         {
  96 @@ -1228,6 +1234,10 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
  97                         ret = -EINVAL;
  98                         goto out_err;
  99                 }
 100 +
 101 +               ret = nf_defrag_ipv6_enable(ipvs->net);
 102 +               if (ret)
 103 +                       goto out_err;
 104         }
 105  #endif
 106
 107 --
 108 2.19.1
 109