Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp471478yba;
        Wed, 15 May 2019 04:43:35 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyOGy+XgLMzYU/fT/sXoAaxkjkecN9zk74kEbbzeGX2fmjm0DJjANKHAbetIdj2/zwE3p1l
X-Received: by 2002:a62:ae05:: with SMTP id q5mr45976839pff.13.1557920615635;
        Wed, 15 May 2019 04:43:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557920615; cv=none;
        d=google.com; s=arc-20160816;
        b=evW13w1AQLqdH1RonTVJN4srgULiLef8gJc8iVB51IC+kB/iWypj6HsAci+JAcP2wv
         RXh281/Hj3umep8bq+/wpTlsyjiVGCF/Xr4bgkEfZjRLlFPZnkh3bu69W6qDoazGmheQ
         uMlmiB/BFUBNSXJ/LrzotVla8ymu5XuknpSJ8NVA9XBnnEBjkkSDw3cw8fW04Qjs6Al9
         kb8NvuX75805v9Oz2y7v3o3oS1PfBWQ4ykxFFYmYhRdzjjY24NKOIdm+661BRDRWCJjj
         S4KwxK6MvQJ9ttU9/ihrUlYqmBASE5Tv18XZMB0p69FfqS/tkgZePTHWA0NivYdN7JNH
         xMqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=eQbUUfTCR4IbwaLo5yyknnWcpp4zI467YueoBoHMMIk=;
        b=MGf+qdt3tDWXKBO4m4YjcbL0KI4pzy6AfvGkZ456iKHHz8LB33WS8QkV/sGRn5mIhq
         U7ZgHf3PfplV5buNx9Wt050eXWocFtKz1omcLsgHFUg/m/+pbU4EU8yNyC8ljXGO72+A
         aidOZM9ABi4AlZ+ZktqUskcG62f9+pgDI1F/hdqRX8CiudoVjIcbFowXcSBAlLq69Axk
         YFo1/r+LQl7BXUglHwrReMaKfLKIEY6ak7N/6uclqQ/9X5iNZuxwDihoPu9PbYMjzbrq
         VW8chW8idPImRyv7hNWR/yfiLb94FE/AIz62zNvbSjNmTK7uxjlGB8IuZwzHm11X5h/l
         kaBw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=lT5LOs2f;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 191si2033039pfa.100.2019.05.15.04.43.21;
        Wed, 15 May 2019 04:43:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=lT5LOs2f;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732532AbfEOLlm (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 15 May 2019 07:41:42 -0400
Received: from mail.kernel.org ([198.145.29.99]:39718 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726525AbfEOL2f (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 May 2019 07:28:35 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 89F7F20818;
        Wed, 15 May 2019 11:28:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1557919715;
        bh=WlWMS1xXo7beueki27apiS84qmVZ+m3dhjYsOpVi51o=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=lT5LOs2fe2uxrIigCuzrK85ZDYYGGK+/FSEFznQbm/HTUPckrWKSBDh5eg2TLZ9kV
         v6NfQuBLx2WtjK6jF+xl1dKK4e7BgMX5KLPw7mhbizdVBqhaNl8ZLNR7NGLyazxqei
         YOpbpLXRTzUSbbKzYqiz9hMDliuzQTeiQbP3pyik=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Julian Anastasov <ja@ssi.bg>,
        Simon Horman <horms@verge.net.au>,
        Pablo Neira Ayuso <pablo@netfilter.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.0 065/137] ipvs: do not schedule icmp errors from tunnels
Date:   Wed, 15 May 2019 12:55:46 +0200
Message-Id: <20190515090658.180646169@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190515090651.633556783@linuxfoundation.org>
References: <20190515090651.633556783@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]

We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.

Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipvs/ip_vs_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 235205c93e14b..df112b27246a3 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1647,7 +1647,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
 	if (!cp) {
 		int v;
 
-		if (!sysctl_schedule_icmp(ipvs))
+		if (ipip || !sysctl_schedule_icmp(ipvs))
 			return NF_ACCEPT;
 
 		if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
-- 
2.20.1