| author | Julian Anastasov <ja@ssi.bg> | 2019-03-31 10:24:52 (GMT) |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-05-16 17:43:42 (GMT) |
| commit | 31a6e0d3cea0846ad112bf1c9b860d7d81502056 (patch) | |
| tree | c4d47349e2c17b4804564defaa2d31a34a0cef8a | |
| parent | 3a1de1acf46a9b56fee28e917577d3260d49ccb9 (diff) | |
| download | common-31a6e0d3cea0846ad112bf1c9b860d7d81502056.zip common-31a6e0d3cea0846ad112bf1c9b860d7d81502056.tar.gz common-31a6e0d3cea0846ad112bf1c9b860d7d81502056.tar.bz2 | |
ipvs: do not schedule icmp errors from tunnels
[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]
We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.
Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_core.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index fd186b0..8475e86 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1643,7 +1643,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, if (!cp) { int v; - if (!sysctl_schedule_icmp(ipvs)) + if (ipip || !sysctl_schedule_icmp(ipvs)) return NF_ACCEPT; if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) |