forked from Minki/linux
Merge tag 'ipvs-fixes-for-v4.12' of http://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs
Simon Horman says: ==================== IPVS Fixes for v4.12 please consider this fix to IPVS for v4.12. * It is a fix from Julian Anastasov to only SNAT SNAT packet replies only for NATed connections My understanding is that this fix is appropriate for 4.9.25, 4.10.13, 4.11 as well as the nf tree. Julian has separately posted backports for other -stable kernels; please see: * [PATCH 3.2.88,3.4.113 -stable 1/3] ipvs: SNAT packet replies only for NATed connections * [PATCH 3.10.105,3.12.73,3.16.43,4.1.39 -stable 2/3] ipvs: SNAT packet replies only for NATed connections * [PATCH 4.4.65 -stable 3/3] ipvs: SNAT packet replies only for NATed connections ==================== Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
commit
ff1e4300cf
@ -849,10 +849,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
|
||||
{
|
||||
unsigned int verdict = NF_DROP;
|
||||
|
||||
if (IP_VS_FWD_METHOD(cp) != 0) {
|
||||
pr_err("shouldn't reach here, because the box is on the "
|
||||
"half connection in the tun/dr module.\n");
|
||||
}
|
||||
if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
|
||||
goto ignore_cp;
|
||||
|
||||
/* Ensure the checksum is correct */
|
||||
if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
|
||||
@ -886,6 +884,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
|
||||
ip_vs_notrack(skb);
|
||||
else
|
||||
ip_vs_update_conntrack(skb, cp, 0);
|
||||
|
||||
ignore_cp:
|
||||
verdict = NF_ACCEPT;
|
||||
|
||||
out:
|
||||
@ -1385,8 +1385,11 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
|
||||
*/
|
||||
cp = pp->conn_out_get(ipvs, af, skb, &iph);
|
||||
|
||||
if (likely(cp))
|
||||
if (likely(cp)) {
|
||||
if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
|
||||
goto ignore_cp;
|
||||
return handle_response(af, skb, pd, cp, &iph, hooknum);
|
||||
}
|
||||
|
||||
/* Check for real-server-started requests */
|
||||
if (atomic_read(&ipvs->conn_out_counter)) {
|
||||
@ -1444,9 +1447,15 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
IP_VS_DBG_PKT(12, af, pp, skb, iph.off,
|
||||
"ip_vs_out: packet continues traversal as normal");
|
||||
return NF_ACCEPT;
|
||||
|
||||
ignore_cp:
|
||||
__ip_vs_conn_put(cp);
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user