[PATCH net] ipvs: do not schedule icmp errors from tunnels

To:	Simon Horman <horms@xxxxxxxxxxxx>
Subject:	[PATCH net] ipvs: do not schedule icmp errors from tunnels
Cc:	lvs-devel@xxxxxxxxxxxxxxx, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxx, Alex Gartrell <agartrell@xxxxxx>, Jacky Hu <hengqing.hu@xxxxxxxxx>, jacky.hu@xxxxxxxxxxx, jason.niesz@xxxxxxxxxxx
From:	Julian Anastasov <ja@xxxxxx>
Date:	Sun, 31 Mar 2019 13:24:52 +0300

We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.

Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@xxxxxx>
---
 net/netfilter/ipvs/ip_vs_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 43bbaa32b1d6..14457551bcb4 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff 
*skb, int *related,
        if (!cp) {
                int v;
 
-               if (!sysctl_schedule_icmp(ipvs))
+               if (ipip || !sysctl_schedule_icmp(ipvs))
                        return NF_ACCEPT;
 
                if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, 
&ciph))
-- 
2.17.1

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH net] ipvs: do not schedule icmp errors from tunnels, Julian Anastasov <=

Previous by Date:	Spende an dich, official
Next by Date:	[PATCH net-next 0/3] Add UDP tunnel support for ICMP errors in IPVS, Julian Anastasov
Previous by Thread:	Spende an dich, official
Next by Thread:	[PATCH net-next 0/3] Add UDP tunnel support for ICMP errors in IPVS, Julian Anastasov
Indexes:	[Date] [Thread] [Top] [All Lists]