Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp488733yba; Wed, 15 May 2019 05:03:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqzLE+xWBP5xgBruyVmMAXbb+GEdKrq6cd6KPVFIro+VH3bkc9Pc2Tr04y9pxIiEqmjmpyZh X-Received: by 2002:a63:785:: with SMTP id 127mr41469161pgh.230.1557921807061; Wed, 15 May 2019 05:03:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557921807; cv=none; d=google.com; s=arc-20160816; b=kC6bqYwfcGzs5Yb/gx6CJOQh37Fh1A9dXJS6kjJxyO3Mu0rdvnFqZRgkCmhIgNiBfb q0LyuPGBtH5KE8krvBPuWDVx9LXeioWjJBG71dKVyRmwqXbtc7fciO9RQMFDDpnHWAz8 RZqCW1AO9D5/6ohav7nPj2B6AGyV99KLLkdcn60s61576WVGVik9tkAWbzExVnwpJVuA gH163INa/hckOomOD/vVxVOn3SQRfGNrdXhx7Upnv8rkEpiMpl/f6pysyi/F4X2/+7SM YKW0bcBUeDoQCdR6Tf7D3j8fJbYZzSvadWuyuWHOxd6Vz4TrNpMAMdCCwa+/HaPdHgNa f8rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=v/KVtO3BDr7i8D3HMS9WhI0Z8A2TY9WCs6Piue9eRKA=; b=CTOeQ8lOVwEXjrKxHAVZgvZo8oH1tg21RB5df/aJ72dluTCx4oNjV8N0S/otWCvh6w 4iLHir9QR+x7pFZLzopazURqMrQcIA2D3RZEJcFhCeEryl0DYAaeH8aiFacCvMo5cthv 2nJ9OBZAnAjwcYCXJkstOpuDuw5931TCzXfoyEO6W/se+I/yjTi1H/agj+ugts5YibhJ aINK2We6PTA0r/Ix5uBJ+pgcxZwxw/HlNtTJ50JYZWAZQOzztXHJW/Aza2Bcr9CoVBgu MfCT9/2Zk6yeqiU8y/YoeOKPegAQHi0pqg4fuzaVyEJyiUgm3rY64inLmCOmz4TSuqAb R8Ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XiveCKYH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 67si1857566pfe.269.2019.05.15.05.03.10; Wed, 15 May 2019 05:03:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XiveCKYH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730086AbfEOLOL (ORCPT + 99 others); Wed, 15 May 2019 07:14:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:50046 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730075AbfEOLOG (ORCPT ); Wed, 15 May 2019 07:14:06 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E363221726; Wed, 15 May 2019 11:14:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557918845; bh=QhDTGCZX6pVW8veX4JHuUSszGyQ6k9v1pW9KYOfzvJc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XiveCKYHEQIUFVhZ0dK/tYSGlG/VoNHJLu1iikwCO/BrNQpalwsLKs5vVNFVhOeVC Hjx6E4bUyUP/XSJykUXJkhiPWYjEd0GSWSLcH1OL57GzZQb/Aa9/sRznBv7RHvSWxf 8G2MTCi592KGPWzILEOLQVijZBveFswL45rZjftA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.9 21/51] ipvs: do not schedule icmp errors from tunnels Date: Wed, 15 May 2019 12:55:56 +0200 Message-Id: <20190515090623.551043356@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090616.669619870@linuxfoundation.org> References: <20190515090616.669619870@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/ipvs/ip_vs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index fd186b011a999..8475e8692ff04 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1643,7 +1643,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, if (!cp) { int v; - if (!sysctl_schedule_icmp(ipvs)) + if (ipip || !sysctl_schedule_icmp(ipvs)) return NF_ACCEPT; if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) -- 2.20.1