Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp488733yba;
        Wed, 15 May 2019 05:03:27 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzLE+xWBP5xgBruyVmMAXbb+GEdKrq6cd6KPVFIro+VH3bkc9Pc2Tr04y9pxIiEqmjmpyZh
X-Received: by 2002:a63:785:: with SMTP id 127mr41469161pgh.230.1557921807061;
        Wed, 15 May 2019 05:03:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557921807; cv=none;
        d=google.com; s=arc-20160816;
        b=kC6bqYwfcGzs5Yb/gx6CJOQh37Fh1A9dXJS6kjJxyO3Mu0rdvnFqZRgkCmhIgNiBfb
         q0LyuPGBtH5KE8krvBPuWDVx9LXeioWjJBG71dKVyRmwqXbtc7fciO9RQMFDDpnHWAz8
         RZqCW1AO9D5/6ohav7nPj2B6AGyV99KLLkdcn60s61576WVGVik9tkAWbzExVnwpJVuA
         gH163INa/hckOomOD/vVxVOn3SQRfGNrdXhx7Upnv8rkEpiMpl/f6pysyi/F4X2/+7SM
         YKW0bcBUeDoQCdR6Tf7D3j8fJbYZzSvadWuyuWHOxd6Vz4TrNpMAMdCCwa+/HaPdHgNa
         f8rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=v/KVtO3BDr7i8D3HMS9WhI0Z8A2TY9WCs6Piue9eRKA=;
        b=CTOeQ8lOVwEXjrKxHAVZgvZo8oH1tg21RB5df/aJ72dluTCx4oNjV8N0S/otWCvh6w
         4iLHir9QR+x7pFZLzopazURqMrQcIA2D3RZEJcFhCeEryl0DYAaeH8aiFacCvMo5cthv
         2nJ9OBZAnAjwcYCXJkstOpuDuw5931TCzXfoyEO6W/se+I/yjTi1H/agj+ugts5YibhJ
         aINK2We6PTA0r/Ix5uBJ+pgcxZwxw/HlNtTJ50JYZWAZQOzztXHJW/Aza2Bcr9CoVBgu
         MfCT9/2Zk6yeqiU8y/YoeOKPegAQHi0pqg4fuzaVyEJyiUgm3rY64inLmCOmz4TSuqAb
         R8Ug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XiveCKYH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 67si1857566pfe.269.2019.05.15.05.03.10;
        Wed, 15 May 2019 05:03:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XiveCKYH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730086AbfEOLOL (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 15 May 2019 07:14:11 -0400
Received: from mail.kernel.org ([198.145.29.99]:50046 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730075AbfEOLOG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 May 2019 07:14:06 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E363221726;
        Wed, 15 May 2019 11:14:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1557918845;
        bh=QhDTGCZX6pVW8veX4JHuUSszGyQ6k9v1pW9KYOfzvJc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XiveCKYHEQIUFVhZ0dK/tYSGlG/VoNHJLu1iikwCO/BrNQpalwsLKs5vVNFVhOeVC
         Hjx6E4bUyUP/XSJykUXJkhiPWYjEd0GSWSLcH1OL57GzZQb/Aa9/sRznBv7RHvSWxf
         8G2MTCi592KGPWzILEOLQVijZBveFswL45rZjftA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Julian Anastasov <ja@ssi.bg>,
        Simon Horman <horms@verge.net.au>,
        Pablo Neira Ayuso <pablo@netfilter.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 21/51] ipvs: do not schedule icmp errors from tunnels
Date:   Wed, 15 May 2019 12:55:56 +0200
Message-Id: <20190515090623.551043356@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190515090616.669619870@linuxfoundation.org>
References: <20190515090616.669619870@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]

We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.

Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipvs/ip_vs_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index fd186b011a999..8475e8692ff04 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1643,7 +1643,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
 	if (!cp) {
 		int v;
 
-		if (!sysctl_schedule_icmp(ipvs))
+		if (ipip || !sysctl_schedule_icmp(ipvs))
 			return NF_ACCEPT;
 
 		if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
-- 
2.20.1