Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge tag 'ipvs-fixes-for-v4.12' of http://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs

Simon Horman says:

====================
IPVS Fixes for v4.12

please consider this fix to IPVS for v4.12.

* It is a fix from Julian Anastasov to only SNAT SNAT packet replies only for
  NATed connections

My understanding is that this fix is appropriate for 4.9.25, 4.10.13, 4.11
as well as the nf tree. Julian has separately posted backports for other
-stable kernels; please see:

* [PATCH 3.2.88,3.4.113 -stable 1/3] ipvs: SNAT packet replies only for
        NATed connections
* [PATCH 3.10.105,3.12.73,3.16.43,4.1.39 -stable 2/3] ipvs: SNAT packet
        replies only for NATed connections
* [PATCH 4.4.65 -stable 3/3] ipvs: SNAT packet replies only for NATed
        connections
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Pablo Neira Ayuso 8 years ago
parent
9338d7b441 3c5ab3f395
commit
ff1e4300cf
1 changed files with 14 additions and 5 deletions
Unified View Show Diff Stats
  1. 14 5
      net/netfilter/ipvs/ip_vs_core.c

+ 14 - 5
net/netfilter/ipvs/ip_vs_core.c
View File 

@@ -849,10 +849,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
 
 {
 
 {
 
 	unsigned int verdict = NF_DROP;
 
 	unsigned int verdict = NF_DROP;
 
 
 
-	if (IP_VS_FWD_METHOD(cp) != 0) {
 
-		pr_err("shouldn't reach here, because the box is on the "
 
-		       "half connection in the tun/dr module.\n");
 
-	}
 
+	if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
 
+		goto ignore_cp;
 
 
 
 	/* Ensure the checksum is correct */
 
 	/* Ensure the checksum is correct */
 
 	if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
 
 	if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
 
@@ -886,6 +884,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
 
 		ip_vs_notrack(skb);
 
 		ip_vs_notrack(skb);
 
 	else
 
 	else
 
 		ip_vs_update_conntrack(skb, cp, 0);
 
 		ip_vs_update_conntrack(skb, cp, 0);
 
+
 
+ignore_cp:
 
 	verdict = NF_ACCEPT;
 
 	verdict = NF_ACCEPT;
 
 
 
 out:
 
 out:
 
@@ -1385,8 +1385,11 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
 
 	 */
 
 	 */
 
 	cp = pp->conn_out_get(ipvs, af, skb, &iph);
 
 	cp = pp->conn_out_get(ipvs, af, skb, &iph);
 
 
 
-	if (likely(cp))
 
+	if (likely(cp)) {
 
+		if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
 
+			goto ignore_cp;
 
 		return handle_response(af, skb, pd, cp, &iph, hooknum);
 
 		return handle_response(af, skb, pd, cp, &iph, hooknum);
 
+	}
 
 
 
 	/* Check for real-server-started requests */
 
 	/* Check for real-server-started requests */
 
 	if (atomic_read(&ipvs->conn_out_counter)) {
 
 	if (atomic_read(&ipvs->conn_out_counter)) {
 
@@ -1444,9 +1447,15 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
 
 			}
 
 			}
 
 		}
 
 		}
 
 	}
 
 	}
 
+
 
+out:
 
 	IP_VS_DBG_PKT(12, af, pp, skb, iph.off,
 
 	IP_VS_DBG_PKT(12, af, pp, skb, iph.off,
 
 		      "ip_vs_out: packet continues traversal as normal");
 
 		      "ip_vs_out: packet continues traversal as normal");
 
 	return NF_ACCEPT;
 
 	return NF_ACCEPT;
 
+
 
+ignore_cp:
 
+	__ip_vs_conn_put(cp);
 
+	goto out;
 
 }
 
 }
 
 
 
 /*
 
 /*