Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3334758yba; Mon, 6 May 2019 22:41:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqz4u8r3JW7+0mDF9cwnP0QAzs0pfbq4Dyi3LuR0187zf0z4S9Wbdg6E2Incwc9Uwtl2rULa X-Received: by 2002:a65:48ca:: with SMTP id o10mr37734108pgs.136.1557207692808; Mon, 06 May 2019 22:41:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557207692; cv=none; d=google.com; s=arc-20160816; b=k4XiUCfbBrkbgE5r8nnMyTZQWn3+eRWwbluxnbShgpducw0fOx+cjGd1SRZdP2DhmM dY81hbH8ryIlil0XS4gxpa7MBCZhFZ1utTPwCDDN68gyni7fDnurkwkndG3uB7e6XpNm YPrcX/ORRovlLIprfx/PNj2Sikk8+1U0V7QukA8ymNhykcwvi5h4d+xWQClndtuh2gUI uNNi2G/348sUJNf9E0SgT7rq9n1/8o6w325clQwcYWmmVdlfHsWFlU+FFzOG0+R4cTqC 8/f65yo4EmsmPw2sktUg7uQxYdj5Zqme/h3pjoaeLe+cTB9JByLrfrnDiLa+ZoKvJ7kl HZNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=4euQMpXEit+xO38G2Ceg67KIZn4Qdgzf3f0IyAb23KA=; b=MOGsA67MtFbL7mPGAF0l0S/4w3p46FO1UcdaOg0qtvp52wJGzo2KBqghf5oXbU6VTq hHTrjkr5tr5014Vxb3JJ2RVlFLE2ySroEjYYWF+rxko0k0Q3B/oIBWm7jK5Jp42JNzIA k21V7elPL8/xcl9ZcLYAjVGRyV4TuhqVR0eiVm5LXXFSDrgUewrJyhQRMHG/v7LTpTGV hU8TyZ4SVmWCJmEA2VHk1Tp/us9MWv2OCOrD3DRXo6mHN+oSVLEG6D2wylyfBKE/hlVg ZFfoxlldUWr2qPAXhhC1MduXQcwGJ+0p2PpQ4XQsk48Cf+OUlQ8ph2w1OY/EVhwXkxaR aCRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=y2Dzx517; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w6si18195256pge.362.2019.05.06.22.41.16; Mon, 06 May 2019 22:41:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=y2Dzx517; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728837AbfEGFjT (ORCPT + 99 others); Tue, 7 May 2019 01:39:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:58926 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728308AbfEGFjS (ORCPT ); Tue, 7 May 2019 01:39:18 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1CE4A20675; Tue, 7 May 2019 05:39:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557207558; bh=KwRV0uxZD+ee2/dxIQ+5k9LAHpPD+90ojoWl+cbZvzI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y2Dzx517wDUtb84eDudQkxuUnKyqzVtzs4uz0at4Zz3pmCYJjfuWHngFUPzlRfucW gtRjP56zyDGu0TlyqK0esbOsjdYGfk3P5riizUkKJJ0bkK8LMkvBdZbixpuI3ic+lF Sua4GWXKhFvhUWZ010rCUf/vvQEUFm/oZnPtoP4w= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin , netdev@vger.kernel.org, lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org Subject: [PATCH AUTOSEL 4.14 24/95] ipvs: do not schedule icmp errors from tunnels Date: Tue, 7 May 2019 01:37:13 -0400 Message-Id: <20190507053826.31622-24-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190507053826.31622-1-sashal@kernel.org> References: <20190507053826.31622-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Julian Anastasov [ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/ipvs/ip_vs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 4278f5c947ab..d1c0378144f3 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1635,7 +1635,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, if (!cp) { int v; - if (!sysctl_schedule_icmp(ipvs)) + if (ipip || !sysctl_schedule_icmp(ipvs)) return NF_ACCEPT; if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) -- 2.20.1