summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulian Anastasov <ja@ssi.bg>2019-03-31 13:24:52 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-05-16 19:41:23 +0200
commit4e1994ef63657da08709640eada7b4c727818a1a (patch)
tree98d2673ee5ea0c8196c0b29e12e401e2f680dd9b
parentcb9a11d017c63457ca1ae69d6f2575541e3ec7fb (diff)
downloadlinux-stable-4e1994ef63657da08709640eada7b4c727818a1a.tar.gz
linux-stable-4e1994ef63657da08709640eada7b4c727818a1a.tar.bz2
linux-stable-4e1994ef63657da08709640eada7b4c727818a1a.zip
ipvs: do not schedule icmp errors from tunnels
[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r--net/netfilter/ipvs/ip_vs_core.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 3f963ea22277..a42c1bc7c698 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1647,7 +1647,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
if (!cp) {
int v;
- if (!sysctl_schedule_icmp(ipvs))
+ if (ipip || !sysctl_schedule_icmp(ipvs))
return NF_ACCEPT;
if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))