tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'ipvs-fixes-for-v4.12' of http://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs

Simon Horman says:

====================
IPVS Fixes for v4.12

please consider this fix to IPVS for v4.12.

* It is a fix from Julian Anastasov to only SNAT SNAT packet replies only for
NATed connections

My understanding is that this fix is appropriate for 4.9.25, 4.10.13, 4.11
as well as the nf tree. Julian has separately posted backports for other
-stable kernels; please see:

* [PATCH 3.2.88,3.4.113 -stable 1/3] ipvs: SNAT packet replies only for
NATed connections
* [PATCH 3.10.105,3.12.73,3.16.43,4.1.39 -stable 2/3] ipvs: SNAT packet
replies only for NATed connections
* [PATCH 4.4.65 -stable 3/3] ipvs: SNAT packet replies only for NATed
connections
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso ff1e4300 9338d7b4

+14 -5
+14 -5
net/netfilter/ipvs/ip_vs_core.c
··· 849 849 { 850 850 unsigned int verdict = NF_DROP; 851 851 852 - if (IP_VS_FWD_METHOD(cp) != 0) { 853 - pr_err("shouldn't reach here, because the box is on the " 854 - "half connection in the tun/dr module.\n"); 855 - } 852 + if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) 853 + goto ignore_cp; 856 854 857 855 /* Ensure the checksum is correct */ 858 856 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) { ··· 884 886 ip_vs_notrack(skb); 885 887 else 886 888 ip_vs_update_conntrack(skb, cp, 0); 889 + 890 + ignore_cp: 887 891 verdict = NF_ACCEPT; 888 892 889 893 out: ··· 1385 1385 */ 1386 1386 cp = pp->conn_out_get(ipvs, af, skb, &iph); 1387 1387 1388 - if (likely(cp)) 1388 + if (likely(cp)) { 1389 + if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) 1390 + goto ignore_cp; 1389 1391 return handle_response(af, skb, pd, cp, &iph, hooknum); 1392 + } 1390 1393 1391 1394 /* Check for real-server-started requests */ 1392 1395 if (atomic_read(&ipvs->conn_out_counter)) { ··· 1447 1444 } 1448 1445 } 1449 1446 } 1447 + 1448 + out: 1450 1449 IP_VS_DBG_PKT(12, af, pp, skb, iph.off, 1451 1450 "ip_vs_out: packet continues traversal as normal"); 1452 1451 return NF_ACCEPT; 1452 + 1453 + ignore_cp: 1454 + __ip_vs_conn_put(cp); 1455 + goto out; 1453 1456 } 1454 1457 1455 1458 /*