ipvs: do not schedule icmp errors from tunnels

We can receive ICMP errors from client or from tunneling real server. While the former can be scheduled to real server, the latter should not be scheduled, they are decapsulated only when existing connection is found. Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Julian Anastasov <ja@ssi.bg> 2019-03-31 13:24:52 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-04-13 14:52:57 +0200
commit: 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 (patch)
tree: 88da52e71fa17b02ef40b4b33f2fdf685335269d /net
parent: 8176c8332751bf27597488d6e45c9b8f530593bf (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 43bbaa32b1d6..14457551bcb4 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
 	if (!cp) {
 		int v;
 
-		if (!sysctl_schedule_icmp(ipvs))
+		if (ipip || !sysctl_schedule_icmp(ipvs))
 			return NF_ACCEPT;
 
 		if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
author	Julian Anastasov <ja@ssi.bg>	2019-03-31 13:24:52 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-04-13 14:52:57 +0200
commit	0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 (patch)
tree	88da52e71fa17b02ef40b4b33f2fdf685335269d /net
parent	8176c8332751bf27597488d6e45c9b8f530593bf (diff)