Re: [PATCH net] ipvs: do not schedule icmp errors from tunnels

[Simon Horman <horms@xxxxxxxxxxxx>]

On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> We can receive ICMP errors from client or from
> tunneling real server. While the former can be
> scheduled to real server, the latter should
> not be scheduled, they are decapsulated only when
> existing connection is found.
> 
> Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
> Signed-off-by: Julian Anastasov <ja@xxxxxx>

Thanks Julian, I assume this is also relevant to -stable.

Pablo, please consider applying this to nf.

Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>

> ---
>  net/netfilter/ipvs/ip_vs_core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index 43bbaa32b1d6..14457551bcb4 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff 
> *skb, int *related,
>       if (!cp) {
>               int v;
>  
> -             if (!sysctl_schedule_icmp(ipvs))
> +             if (ipip || !sysctl_schedule_icmp(ipvs))
>                       return NF_ACCEPT;
>  
>               if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, 
> &ciph))
> -- 
> 2.17.1
>