ipvs: do not schedule icmp errors from tunnels

[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Julian Anastasov <ja@ssi.bg> 2019-03-31 13:24:52 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-05-16 19:42:23 +0200
commit: f3cab444f29b328b20f47e965424905352534e5a (patch)
tree: 76b0b0f5739981dabb9cfd371f31296c8722fcbb /net/netfilter
parent: ea7087cf9140ac8d73d764c1f2ca7782b5491073 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 4278f5c947ab..d1c0378144f3 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1635,7 +1635,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
 	if (!cp) {
 		int v;
 
-		if (!sysctl_schedule_icmp(ipvs))
+		if (ipip || !sysctl_schedule_icmp(ipvs))
 			return NF_ACCEPT;
 
 		if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
author	Julian Anastasov <ja@ssi.bg>	2019-03-31 13:24:52 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-05-16 19:42:23 +0200
commit	f3cab444f29b328b20f47e965424905352534e5a (patch)
tree	76b0b0f5739981dabb9cfd371f31296c8722fcbb /net/netfilter
parent	ea7087cf9140ac8d73d764c1f2ca7782b5491073 (diff)