Re: [PATCH net] ipvs: do not schedule icmp errors from tunnels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> We can receive ICMP errors from client or from
> tunneling real server. While the former can be
> scheduled to real server, the latter should
> not be scheduled, they are decapsulated only when
> existing connection is found.
> 
> Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
> Signed-off-by: Julian Anastasov <ja@xxxxxx>

Thanks Julian, I assume this is also relevant to -stable.

Pablo, please consider applying this to nf.

Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>

> ---
>  net/netfilter/ipvs/ip_vs_core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index 43bbaa32b1d6..14457551bcb4 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
>  	if (!cp) {
>  		int v;
>  
> -		if (!sysctl_schedule_icmp(ipvs))
> +		if (ipip || !sysctl_schedule_icmp(ipvs))
>  			return NF_ACCEPT;
>  
>  		if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
> -- 
> 2.17.1
> 



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux