Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp471478yba; Wed, 15 May 2019 04:43:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqyOGy+XgLMzYU/fT/sXoAaxkjkecN9zk74kEbbzeGX2fmjm0DJjANKHAbetIdj2/zwE3p1l X-Received: by 2002:a62:ae05:: with SMTP id q5mr45976839pff.13.1557920615635; Wed, 15 May 2019 04:43:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557920615; cv=none; d=google.com; s=arc-20160816; b=evW13w1AQLqdH1RonTVJN4srgULiLef8gJc8iVB51IC+kB/iWypj6HsAci+JAcP2wv RXh281/Hj3umep8bq+/wpTlsyjiVGCF/Xr4bgkEfZjRLlFPZnkh3bu69W6qDoazGmheQ uMlmiB/BFUBNSXJ/LrzotVla8ymu5XuknpSJ8NVA9XBnnEBjkkSDw3cw8fW04Qjs6Al9 kb8NvuX75805v9Oz2y7v3o3oS1PfBWQ4ykxFFYmYhRdzjjY24NKOIdm+661BRDRWCJjj S4KwxK6MvQJ9ttU9/ihrUlYqmBASE5Tv18XZMB0p69FfqS/tkgZePTHWA0NivYdN7JNH xMqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=eQbUUfTCR4IbwaLo5yyknnWcpp4zI467YueoBoHMMIk=; b=MGf+qdt3tDWXKBO4m4YjcbL0KI4pzy6AfvGkZ456iKHHz8LB33WS8QkV/sGRn5mIhq U7ZgHf3PfplV5buNx9Wt050eXWocFtKz1omcLsgHFUg/m/+pbU4EU8yNyC8ljXGO72+A aidOZM9ABi4AlZ+ZktqUskcG62f9+pgDI1F/hdqRX8CiudoVjIcbFowXcSBAlLq69Axk YFo1/r+LQl7BXUglHwrReMaKfLKIEY6ak7N/6uclqQ/9X5iNZuxwDihoPu9PbYMjzbrq VW8chW8idPImRyv7hNWR/yfiLb94FE/AIz62zNvbSjNmTK7uxjlGB8IuZwzHm11X5h/l kaBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lT5LOs2f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 191si2033039pfa.100.2019.05.15.04.43.21; Wed, 15 May 2019 04:43:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lT5LOs2f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732532AbfEOLlm (ORCPT + 99 others); Wed, 15 May 2019 07:41:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:39718 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726525AbfEOL2f (ORCPT ); Wed, 15 May 2019 07:28:35 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 89F7F20818; Wed, 15 May 2019 11:28:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557919715; bh=WlWMS1xXo7beueki27apiS84qmVZ+m3dhjYsOpVi51o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lT5LOs2fe2uxrIigCuzrK85ZDYYGGK+/FSEFznQbm/HTUPckrWKSBDh5eg2TLZ9kV v6NfQuBLx2WtjK6jF+xl1dKK4e7BgMX5KLPw7mhbizdVBqhaNl8ZLNR7NGLyazxqei YOpbpLXRTzUSbbKzYqiz9hMDliuzQTeiQbP3pyik= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.0 065/137] ipvs: do not schedule icmp errors from tunnels Date: Wed, 15 May 2019 12:55:46 +0200 Message-Id: <20190515090658.180646169@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090651.633556783@linuxfoundation.org> References: <20190515090651.633556783@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/ipvs/ip_vs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 235205c93e14b..df112b27246a3 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1647,7 +1647,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, if (!cp) { int v; - if (!sysctl_schedule_icmp(ipvs)) + if (ipip || !sysctl_schedule_icmp(ipvs)) return NF_ACCEPT; if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) -- 2.20.1