Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp456773yba; Wed, 15 May 2019 04:26:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqxTCAYi2q4wy/9RIsRNfZugdVi5d1MrLwvfod9VcjiZQj5BsNuyR21nlnNR/2lA9RIs4EZ3 X-Received: by 2002:a65:610b:: with SMTP id z11mr23598831pgu.204.1557919574832; Wed, 15 May 2019 04:26:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557919574; cv=none; d=google.com; s=arc-20160816; b=N4cGqwGx8PqzS1sKE5D+uEf9OT2qwl7ONj3YJhozB5GgeRSefTj3BpUzlJiZQRqgGr b0OEAWsm4Dxok/xY6A43sLN5d+D6INNcB5k/i+KfEtF7ustz+GYhsyXIpyThqd7b+HwP vtBg4aT723m83s+otoA5pH7y1Oqo55eGwHUWmNVST3xHYhmsCQoILllf0SxicgYVmPHM C5S8X97Iu4gsoCt3mtBBlfD8depoWHfWo4apWFDj+FuvoybywQnn6AmNyvDYCsqTdBEK tRTipbMrHViy7qjIdxtDfydT/b++RfgWz9WSLRtj2XvNN27S59s5qy3xEgXPIjlhp8OW WN5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ir1kaWh9IzCfg+sQXrL2+pb/2Yx2WwJXHWujugORiQs=; b=cfk52cCdRfdVa4sgheNidsKXOirItw9yKXimB9KBxkroCCtvvaQKxUAmpA/UPQZiJW I1SDogxyZj3peAUnfv6Li2mR2vc8rNHYt3YxTB+Uuhv2zotN4YGn7df4OGnItzJPmcbQ lQGr0hp2M+LPF7vivxCgzOjolsJ5eDlvP9rZbEl7INBVy058S/0NW3by+qLO/rz9tN3Q l7ABI7Yu2gVrtEO3ENcMUWs6wCkBgaHp3ZAhn1PNyusglV0B2u8o5yWBFtBtnrY2g8c3 eZeuJXvvEO0rXlMu9GS3H6nVe6PpLYQCPy+q4LmIlPzE7qAmayhUI84WywukHm3gDQoI NetA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AdX3jtSp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f17si1915043pfq.237.2019.05.15.04.25.58; Wed, 15 May 2019 04:26:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AdX3jtSp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731136AbfEOLYo (ORCPT + 99 others); Wed, 15 May 2019 07:24:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:35328 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731581AbfEOLYl (ORCPT ); Wed, 15 May 2019 07:24:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1E8392089E; Wed, 15 May 2019 11:24:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557919480; bh=DoZPRdLuGCEXvpSNItVCktSRQCA7iKQ44s4rmE4fBrU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AdX3jtSp1T4ZDNxrd/WtHUKID4iytRyphkKmN1ZxrJhoJ4CLfYIUXoLW61eNliwNY J8X5V3oa3jIF8XQe9ylxqiuYWdXX6uk4sXhqjzxkhUxifDHzh9MI4s0CuRADEypYiN B2oXn+tOLJ+su030pBzAZqN4giHWeNSh86eUZ+7U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.19 047/113] ipvs: do not schedule icmp errors from tunnels Date: Wed, 15 May 2019 12:55:38 +0200 Message-Id: <20190515090657.213016439@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090652.640988966@linuxfoundation.org> References: <20190515090652.640988966@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/ipvs/ip_vs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 3f963ea222774..a42c1bc7c6982 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1647,7 +1647,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, if (!cp) { int v; - if (!sysctl_schedule_icmp(ipvs)) + if (ipip || !sysctl_schedule_icmp(ipvs)) return NF_ACCEPT; if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) -- 2.20.1