Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp651789img; Fri, 22 Mar 2019 05:58:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqwmChsIjwprTboYKl2LdeTpPOABT4sXlglVoOCixdrCLScUNME261U+iaYSU5C8eUvWRxfB X-Received: by 2002:a63:d30b:: with SMTP id b11mr8887047pgg.116.1553259527529; Fri, 22 Mar 2019 05:58:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553259527; cv=none; d=google.com; s=arc-20160816; b=Cik6iUnS7xqtBjTvvZ8ZPkOMfA51K5Pto7jfKYST65i1pVzDWYWJETGEk3Tx3yxYN5 ZDXC+5yWd3/tIUijhCHiomADbjg9QQCdVMW9d7jSwM8/nSI7HbYl7EWEmQVyNy6C33Ei 9F1qp5kdZQ3HVtnp77DU7o5m6d7H1UCfgz7eJ79/IhS4v5x+iUjL/WJRo9Ojh22ccJ7S 8ssY7zvpFIWZPU2E9Mba1fqkz0EMvvH9ZmB4JhIHZcYnrigMGgpLAQOhtZp91Yh9tWjB l1SJDqBTxyAfrQfwzmydVBPy9EM97DaZrWfM3t1v0fuC2iCldRTTymMGmNapqjAv4csX YXXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hHYNOQ/Lm8SiURXwUCDBStz7eYXJtfIf9xVHzdqavzk=; b=Pq+dEqyVbXzGMPp8okXuDIbYTjDLXzRXIt6ELnZoT75ifOg6w3hf3rgRb80dj0Cgs7 g21sjoyLReOu4zxuEHKmEMc8L4pfNeWv6+HZwwZ2OE15IULEgb1bS77CxtQ5Iv4fTqXM NXdBarsNdb3I/3hdj5tHhsHZYs4Zca3jAko6rib9mRUMWGSgMIMjhb+Jq4ruqs5TDjQW uHQBSRUS306TBf4HI/EhbXGEz8rNjbtoqGe941hditc1aQEefURTMwVbsE8+ZYH914CM 6cF3He2jBTJoMpRHjKZY1OjjhUWgylkUl9BFBtyvXVqUEFNK00NKDS0GHhYkUnPi4M7A /eEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="mE/i8Kpz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w16si6901617plq.173.2019.03.22.05.58.29; Fri, 22 Mar 2019 05:58:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="mE/i8Kpz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732143AbfCVLrM (ORCPT + 99 others); Fri, 22 Mar 2019 07:47:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:50338 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728373AbfCVLrK (ORCPT ); Fri, 22 Mar 2019 07:47:10 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2BC5A2075E; Fri, 22 Mar 2019 11:47:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553255229; bh=gGo/zg4aOZkFr87BY4HfAJLW7F8rzVIjTDV2A7A061o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mE/i8KpzLzabBGF+r5mbUiRJkLqGOrrKAMiV284kwr07DKpZE0Lu/J+Dw4EuR8dq2 VUO0uBfbUWb22bbb8goQKrYFo+uq5ki2B9+D0xDmvJlYi1Yv47K2aR5VEh/7wJM//r QO73veKS14/83MSUYqaWc5Os4rPl7ZG/zurw47vs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Li Shuang , Andrea Claudi , Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 026/183] ipvs: fix dependency on nf_defrag_ipv6 Date: Fri, 22 Mar 2019 12:14:14 +0100 Message-Id: <20190322111243.649544181@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111241.819468003@linuxfoundation.org> References: <20190322111241.819468003@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ] ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation, but lacks proper Kconfig dependencies and does not explicitly request defrag features. As a result, if netfilter hooks are not loaded, when IPv6 fragmented packet are handled by ipvs only the first fragment makes through. Fix it properly declaring the dependency on Kconfig and registering netfilter hooks on ip_vs_add_service() and ip_vs_new_dest(). Reported-by: Li Shuang Signed-off-by: Andrea Claudi Acked-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/ipvs/Kconfig | 1 + net/netfilter/ipvs/ip_vs_core.c | 10 ++++------ net/netfilter/ipvs/ip_vs_ctl.c | 10 ++++++++++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig index b32fb0dbe237..3f8e490d1133 100644 --- a/net/netfilter/ipvs/Kconfig +++ b/net/netfilter/ipvs/Kconfig @@ -29,6 +29,7 @@ config IP_VS_IPV6 bool "IPv6 support for IPVS" depends on IPV6 = y || IP_VS = IPV6 select IP6_NF_IPTABLES + select NF_DEFRAG_IPV6 ---help--- Add IPv6 support to IPVS. diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 1bd53b1e7672..4278f5c947ab 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1524,14 +1524,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, /* sorry, all this trouble for a no-hit :) */ IP_VS_DBG_PKT(12, af, pp, skb, iph->off, "ip_vs_in: packet continues traversal as normal"); - if (iph->fragoffs) { - /* Fragment that couldn't be mapped to a conn entry - * is missing module nf_defrag_ipv6 - */ - IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n"); + + /* Fragment couldn't be mapped to a conn entry */ + if (iph->fragoffs) IP_VS_DBG_PKT(7, af, pp, skb, iph->off, "unhandled fragment"); - } + *verdict = NF_ACCEPT; return 0; } diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index dff4ead3d117..56dd5ce6274f 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -43,6 +43,7 @@ #ifdef CONFIG_IP_VS_IPV6 #include #include +#include #endif #include #include @@ -888,6 +889,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest, { struct ip_vs_dest *dest; unsigned int atype, i; + int ret = 0; EnterFunction(2); @@ -898,6 +900,10 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest, atype & IPV6_ADDR_LINKLOCAL) && !__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6)) return -EINVAL; + + ret = nf_defrag_ipv6_enable(svc->ipvs->net); + if (ret) + return ret; } else #endif { @@ -1221,6 +1227,10 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, ret = -EINVAL; goto out_err; } + + ret = nf_defrag_ipv6_enable(ipvs->net); + if (ret) + goto out_err; } #endif -- 2.19.1