LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: [PATCH net] ipvs: do not schedule icmp errors from tunnels

To: Simon Horman <horms@xxxxxxxxxxxx>
Subject: Re: [PATCH net] ipvs: do not schedule icmp errors from tunnels
Cc: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, Alex Gartrell <agartrell@xxxxxx>, Jacky Hu <hengqing.hu@xxxxxxxxx>, jacky.hu@xxxxxxxxxxx, jason.niesz@xxxxxxxxxxx
From: Julian Anastasov <ja@xxxxxx>
Date: Wed, 3 Apr 2019 23:43:28 +0300 (EEST)
        Hello,

On Wed, 3 Apr 2019, Simon Horman wrote:

> On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> > We can receive ICMP errors from client or from
> > tunneling real server. While the former can be
> > scheduled to real server, the latter should
> > not be scheduled, they are decapsulated only when
> > existing connection is found.
> > 
> > Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
> > Signed-off-by: Julian Anastasov <ja@xxxxxx>
> 
> Thanks Julian, I assume this is also relevant to -stable.

        Yes

> Pablo, please consider applying this to nf.
> 
> Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>
> 
> > ---
> >  net/netfilter/ipvs/ip_vs_core.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/netfilter/ipvs/ip_vs_core.c 
> > b/net/netfilter/ipvs/ip_vs_core.c
> > index 43bbaa32b1d6..14457551bcb4 100644
> > --- a/net/netfilter/ipvs/ip_vs_core.c
> > +++ b/net/netfilter/ipvs/ip_vs_core.c
> > @@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff 
> > *skb, int *related,
> >     if (!cp) {
> >             int v;
> >  
> > -           if (!sysctl_schedule_icmp(ipvs))
> > +           if (ipip || !sysctl_schedule_icmp(ipvs))
> >                     return NF_ACCEPT;
> >  
> >             if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, 
> > &ciph))
> > -- 
> > 2.17.1

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread] Current Thread [Next in Thread>