Hello,
On Wed, 3 Apr 2019, Simon Horman wrote:
> On Sun, Mar 31, 2019 at 01:24:52PM +0300, Julian Anastasov wrote:
> > We can receive ICMP errors from client or from
> > tunneling real server. While the former can be
> > scheduled to real server, the latter should
> > not be scheduled, they are decapsulated only when
> > existing connection is found.
> >
> > Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
> > Signed-off-by: Julian Anastasov <[email protected]>
>
> Thanks Julian, I assume this is also relevant to -stable.
Yes
> Pablo, please consider applying this to nf.
>
> Signed-off-by: Simon Horman <[email protected]>
>
> > ---
> > net/netfilter/ipvs/ip_vs_core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/ipvs/ip_vs_core.c
> > b/net/netfilter/ipvs/ip_vs_core.c
> > index 43bbaa32b1d6..14457551bcb4 100644
> > --- a/net/netfilter/ipvs/ip_vs_core.c
> > +++ b/net/netfilter/ipvs/ip_vs_core.c
> > @@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff
> > *skb, int *related,
> > if (!cp) {
> > int v;
> >
> > - if (!sysctl_schedule_icmp(ipvs))
> > + if (ipip || !sysctl_schedule_icmp(ipvs))
> > return NF_ACCEPT;
> >
> > if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp,
> > &ciph))
> > --
> > 2.17.1
Regards
--
Julian Anastasov <[email protected]>
