ipvs: ensure that ICMP cannot be sent in reply to ICMP

Check the header for icmp before sending a PACKET_TOO_BIG Signed-off-by: Alex Gartrell <agartrell@fb.com> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au>
author: Alex Gartrell <agartrell@fb.com> 2015-08-26 09:40:38 -0700
committer: Simon Horman <horms@verge.net.au> 2015-09-01 10:33:59 +0900
commit: 89621f31d18b81a6c66a97fc2a80b3b6e5937a81 (patch)
tree: 5860f46bfac8bf8dea73583ee06e5ad45d9036f0 /net/netfilter/ipvs/ip_vs_xmit.c
parent: 6044eeffafbe35154c5d3b04b73e8938a62e5d39 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index af5e9d3b4de9..c5be055ae32e 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -224,7 +224,7 @@ static inline bool ensure_mtu_is_adequate(int skb_af, int rt_mode,
 			if (!skb->dev)
 				skb->dev = net->loopback_dev;
 			/* only send ICMP too big on first fragment */
-			if (!ipvsh->fragoffs)
+			if (!ipvsh->fragoffs && !ip_vs_iph_icmp(ipvsh))
 				icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
 			IP_VS_DBG(1, "frag needed for %pI6c\n",
 				  &ipv6_hdr(skb)->saddr);
@@ -242,7 +242,8 @@ static inline bool ensure_mtu_is_adequate(int skb_af, int rt_mode,
 			return true;
 
 		if (unlikely(ip_hdr(skb)->frag_off & htons(IP_DF) &&
-			     skb->len > mtu && !skb_is_gso(skb))) {
+			     skb->len > mtu && !skb_is_gso(skb) &&
+			     !ip_vs_iph_icmp(ipvsh))) {
 			icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
 				  htonl(mtu));
 			IP_VS_DBG(1, "frag needed for %pI4\n",
author	Alex Gartrell <agartrell@fb.com>	2015-08-26 09:40:38 -0700
committer	Simon Horman <horms@verge.net.au>	2015-09-01 10:33:59 +0900
commit	89621f31d18b81a6c66a97fc2a80b3b6e5937a81 (patch)
tree	5860f46bfac8bf8dea73583ee06e5ad45d9036f0 /net/netfilter/ipvs/ip_vs_xmit.c
parent	6044eeffafbe35154c5d3b04b73e8938a62e5d39 (diff)