LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

[PATCH nf-next 11/15] ipvs: ensure that ICMP cannot be sent in reply to

To: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Subject: [PATCH nf-next 11/15] ipvs: ensure that ICMP cannot be sent in reply to ICMP
Cc: lvs-devel@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, Wensong Zhang <wensong@xxxxxxxxxxxx>, Julian Anastasov <ja@xxxxxx>, Alex Gartrell <agartrell@xxxxxx>, Simon Horman <horms@xxxxxxxxxxxx>
From: Simon Horman <horms@xxxxxxxxxxxx>
Date: Thu, 17 Sep 2015 14:40:47 +0900
From: Alex Gartrell <agartrell@xxxxxx>

Check the header for icmp before sending a PACKET_TOO_BIG

Signed-off-by: Alex Gartrell <agartrell@xxxxxx>
Acked-by: Julian Anastasov <ja@xxxxxx>
Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>
---
 net/netfilter/ipvs/ip_vs_xmit.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index af5e9d3b4de9..c5be055ae32e 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -224,7 +224,7 @@ static inline bool ensure_mtu_is_adequate(int skb_af, int 
rt_mode,
                        if (!skb->dev)
                                skb->dev = net->loopback_dev;
                        /* only send ICMP too big on first fragment */
-                       if (!ipvsh->fragoffs)
+                       if (!ipvsh->fragoffs && !ip_vs_iph_icmp(ipvsh))
                                icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
                        IP_VS_DBG(1, "frag needed for %pI6c\n",
                                  &ipv6_hdr(skb)->saddr);
@@ -242,7 +242,8 @@ static inline bool ensure_mtu_is_adequate(int skb_af, int 
rt_mode,
                        return true;
 
                if (unlikely(ip_hdr(skb)->frag_off & htons(IP_DF) &&
-                            skb->len > mtu && !skb_is_gso(skb))) {
+                            skb->len > mtu && !skb_is_gso(skb) &&
+                            !ip_vs_iph_icmp(ipvsh))) {
                        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
                                  htonl(mtu));
                        IP_VS_DBG(1, "frag needed for %pI4\n",
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>