Commit e5a4bc2e authored by Julian Anastasov's avatar Julian Anastasov Committed by Ben Hutchings

ipvs: rerouting to local clients is not needed anymore

commit 579eb62a upstream.

commit f5a41847 ("ipvs: move ip_route_me_harder for ICMP")
from 2.6.37 introduced ip_route_me_harder() call for responses to
local clients, so that we can provide valid rt_src after SNAT.
It was used by TCP to provide valid daddr for ip_send_reply().
After commit 0a5ebb80 ("ipv4: Pass explicit daddr arg to
ip_send_reply()." from 3.0 this rerouting is not needed anymore
and should be avoided, especially in LOCAL_IN.

Fixes 3.12.33 crash in xfrm reported by Florian Wiessner:
"3.12.33 - BUG xfrm_selector_match+0x25/0x2f6"
Reported-by: default avatarSmart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
Tested-by: default avatarSmart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
parent 852acc01
...@@ -662,16 +662,24 @@ static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user) ...@@ -662,16 +662,24 @@ static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
} }
#endif #endif
static int ip_vs_route_me_harder(int af, struct sk_buff *skb) static int ip_vs_route_me_harder(int af, struct sk_buff *skb,
unsigned int hooknum)
{ {
if (!sysctl_snat_reroute(skb))
return 0;
/* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */
if (NF_INET_LOCAL_IN == hooknum)
return 0;
#ifdef CONFIG_IP_VS_IPV6 #ifdef CONFIG_IP_VS_IPV6
if (af == AF_INET6) { if (af == AF_INET6) {
if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0) struct dst_entry *dst = skb_dst(skb);
if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
ip6_route_me_harder(skb) != 0)
return 1; return 1;
} else } else
#endif #endif
if ((sysctl_snat_reroute(skb) || if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
ip_route_me_harder(skb, RTN_LOCAL) != 0) ip_route_me_harder(skb, RTN_LOCAL) != 0)
return 1; return 1;
...@@ -782,7 +790,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, ...@@ -782,7 +790,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
union nf_inet_addr *snet, union nf_inet_addr *snet,
__u8 protocol, struct ip_vs_conn *cp, __u8 protocol, struct ip_vs_conn *cp,
struct ip_vs_protocol *pp, struct ip_vs_protocol *pp,
unsigned int offset, unsigned int ihl) unsigned int offset, unsigned int ihl,
unsigned int hooknum)
{ {
unsigned int verdict = NF_DROP; unsigned int verdict = NF_DROP;
...@@ -812,7 +821,7 @@ static int handle_response_icmp(int af, struct sk_buff *skb, ...@@ -812,7 +821,7 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
#endif #endif
ip_vs_nat_icmp(skb, pp, cp, 1); ip_vs_nat_icmp(skb, pp, cp, 1);
if (ip_vs_route_me_harder(af, skb)) if (ip_vs_route_me_harder(af, skb, hooknum))
goto out; goto out;
/* do the statistics and put it back */ /* do the statistics and put it back */
...@@ -908,7 +917,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related, ...@@ -908,7 +917,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
snet.ip = iph->saddr; snet.ip = iph->saddr;
return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
pp, offset, ihl); pp, offset, ihl, hooknum);
} }
#ifdef CONFIG_IP_VS_IPV6 #ifdef CONFIG_IP_VS_IPV6
...@@ -985,7 +994,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related, ...@@ -985,7 +994,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
ipv6_addr_copy(&snet.in6, &iph->saddr); ipv6_addr_copy(&snet.in6, &iph->saddr);
return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp, return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp,
pp, offset, sizeof(struct ipv6hdr)); pp, offset, sizeof(struct ipv6hdr),
hooknum);
} }
#endif #endif
...@@ -1018,7 +1028,7 @@ static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len) ...@@ -1018,7 +1028,7 @@ static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
*/ */
static unsigned int static unsigned int
handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
struct ip_vs_conn *cp, int ihl) struct ip_vs_conn *cp, int ihl, unsigned int hooknum)
{ {
struct ip_vs_protocol *pp = pd->pp; struct ip_vs_protocol *pp = pd->pp;
...@@ -1056,7 +1066,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, ...@@ -1056,7 +1066,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
* if it came from this machine itself. So re-compute * if it came from this machine itself. So re-compute
* the routing information. * the routing information.
*/ */
if (ip_vs_route_me_harder(af, skb)) if (ip_vs_route_me_harder(af, skb, hooknum))
goto drop; goto drop;
IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
...@@ -1169,7 +1179,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) ...@@ -1169,7 +1179,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
cp = pp->conn_out_get(af, skb, &iph, iph.len, 0); cp = pp->conn_out_get(af, skb, &iph, iph.len, 0);
if (likely(cp)) if (likely(cp))
return handle_response(af, skb, pd, cp, iph.len); return handle_response(af, skb, pd, cp, iph.len, hooknum);
if (sysctl_nat_icmp_send(net) && if (sysctl_nat_icmp_send(net) &&
(pp->protocol == IPPROTO_TCP || (pp->protocol == IPPROTO_TCP ||
pp->protocol == IPPROTO_UDP || pp->protocol == IPPROTO_UDP ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment