On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> We can receive ICMP errors from client or from
> tunneling real server. While the former can be
> scheduled to real server, the latter should
> not be scheduled, they are decapsulated only when
> existing connection is found.
>
> Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
> Signed-off-by: Julian Anastasov <ja@xxxxxx>
Thanks Julian, I assume this is also relevant to -stable.
Pablo, please consider applying this to nf.
Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>
> ---
> net/netfilter/ipvs/ip_vs_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index 43bbaa32b1d6..14457551bcb4 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
> if (!cp) {
> int v;
>
> - if (!sysctl_schedule_icmp(ipvs))
> + if (ipip || !sysctl_schedule_icmp(ipvs))
> return NF_ACCEPT;
>
> if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
> --
> 2.17.1
>
