* [PATCH net] ipvs: do not schedule icmp errors from tunnels
@ 2019-03-31 10:24 Julian Anastasov
2019-04-03 7:45 ` Simon Horman
2019-04-13 13:00 ` Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Julian Anastasov @ 2019-03-31 10:24 UTC (permalink / raw)
To: Simon Horman
Cc: lvs-devel, Pablo Neira Ayuso, netfilter-devel, Alex Gartrell,
Jacky Hu, jacky.hu, jason.niesz
We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.
Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
---
net/netfilter/ipvs/ip_vs_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 43bbaa32b1d6..14457551bcb4 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
if (!cp) {
int v;
- if (!sysctl_schedule_icmp(ipvs))
+ if (ipip || !sysctl_schedule_icmp(ipvs))
return NF_ACCEPT;
if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipvs: do not schedule icmp errors from tunnels
2019-03-31 10:24 [PATCH net] ipvs: do not schedule icmp errors from tunnels Julian Anastasov
@ 2019-04-03 7:45 ` Simon Horman
2019-04-03 20:43 ` Julian Anastasov
2019-04-13 13:00 ` Pablo Neira Ayuso
1 sibling, 1 reply; 4+ messages in thread
From: Simon Horman @ 2019-04-03 7:45 UTC (permalink / raw)
To: Julian Anastasov, Pablo Neira Ayuso
Cc: lvs-devel, netfilter-devel, Alex Gartrell, Jacky Hu, jacky.hu,
jason.niesz
On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> We can receive ICMP errors from client or from
> tunneling real server. While the former can be
> scheduled to real server, the latter should
> not be scheduled, they are decapsulated only when
> existing connection is found.
>
> Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
> Signed-off-by: Julian Anastasov <ja@ssi.bg>
Thanks Julian, I assume this is also relevant to -stable.
Pablo, please consider applying this to nf.
Signed-off-by: Simon Horman <horms@verge.net.au>
> ---
> net/netfilter/ipvs/ip_vs_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index 43bbaa32b1d6..14457551bcb4 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
> if (!cp) {
> int v;
>
> - if (!sysctl_schedule_icmp(ipvs))
> + if (ipip || !sysctl_schedule_icmp(ipvs))
> return NF_ACCEPT;
>
> if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipvs: do not schedule icmp errors from tunnels
2019-04-03 7:45 ` Simon Horman
@ 2019-04-03 20:43 ` Julian Anastasov
0 siblings, 0 replies; 4+ messages in thread
From: Julian Anastasov @ 2019-04-03 20:43 UTC (permalink / raw)
To: Simon Horman
Cc: Pablo Neira Ayuso, lvs-devel, netfilter-devel, Alex Gartrell,
Jacky Hu, jacky.hu, jason.niesz
Hello,
On Wed, 3 Apr 2019, Simon Horman wrote:
> On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> > We can receive ICMP errors from client or from
> > tunneling real server. While the former can be
> > scheduled to real server, the latter should
> > not be scheduled, they are decapsulated only when
> > existing connection is found.
> >
> > Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
> > Signed-off-by: Julian Anastasov <ja@ssi.bg>
>
> Thanks Julian, I assume this is also relevant to -stable.
Yes
> Pablo, please consider applying this to nf.
>
> Signed-off-by: Simon Horman <horms@verge.net.au>
>
> > ---
> > net/netfilter/ipvs/ip_vs_core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> > index 43bbaa32b1d6..14457551bcb4 100644
> > --- a/net/netfilter/ipvs/ip_vs_core.c
> > +++ b/net/netfilter/ipvs/ip_vs_core.c
> > @@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
> > if (!cp) {
> > int v;
> >
> > - if (!sysctl_schedule_icmp(ipvs))
> > + if (ipip || !sysctl_schedule_icmp(ipvs))
> > return NF_ACCEPT;
> >
> > if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
> > --
> > 2.17.1
Regards
--
Julian Anastasov <ja@ssi.bg>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipvs: do not schedule icmp errors from tunnels
2019-03-31 10:24 [PATCH net] ipvs: do not schedule icmp errors from tunnels Julian Anastasov
2019-04-03 7:45 ` Simon Horman
@ 2019-04-13 13:00 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-04-13 13:00 UTC (permalink / raw)
To: Julian Anastasov
Cc: Simon Horman, lvs-devel, netfilter-devel, Alex Gartrell,
Jacky Hu, jacky.hu, jason.niesz
On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> We can receive ICMP errors from client or from
> tunneling real server. While the former can be
> scheduled to real server, the latter should
> not be scheduled, they are decapsulated only when
> existing connection is found.
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-04-13 13:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-31 10:24 [PATCH net] ipvs: do not schedule icmp errors from tunnels Julian Anastasov
2019-04-03 7:45 ` Simon Horman
2019-04-03 20:43 ` Julian Anastasov
2019-04-13 13:00 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.