2 files changed, 15 insertions, 4 deletions

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 47edf5a40a59..18b4bc55fa3d 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1577,7 +1577,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
         }
         /* ipvs enabled in this netns ? */
         net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                 return NF_ACCEPT;
 
         ip_vs_fill_iph_skb(af, skb, &iph);
@@ -1654,7 +1655,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
         }
 
         IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
-        ipvs = net_ipvs(net);
         /* Check the server status */
         if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
                 /* the destination server is not available */
@@ -1815,13 +1815,15 @@ ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
 {
         int r;
         struct net *net;
+        struct netns_ipvs *ipvs;
 
         if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
                 return NF_ACCEPT;
 
         /* ipvs enabled in this netns ? */
         net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                 return NF_ACCEPT;
 
         return ip_vs_in_icmp(skb, &r, hooknum);
@@ -1835,6 +1837,7 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
 {
         int r;
         struct net *net;
+        struct netns_ipvs *ipvs;
         struct ip_vs_iphdr iphdr;
 
         ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr);
@@ -1843,7 +1846,8 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
 
         /* ipvs enabled in this netns ? */
         net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                 return NF_ACCEPT;
 
         return ip_vs_in_icmp_v6(skb, &r, hooknum, &iphdr);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index c68198bf9128..9e2d1cccd1eb 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1808,6 +1808,12 @@ static struct ctl_table vs_vars[] = {
                 .mode           = 0644,
                 .proc_handler   = proc_dointvec,
         },
+        {
+                .procname       = "backup_only",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
 #ifdef CONFIG_IP_VS_DEBUG
         {
                 .procname       = "debug_level",
@@ -3741,6 +3747,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
         tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
         ipvs->sysctl_pmtu_disc = 1;
         tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
+        tbl[idx++].data = &ipvs->sysctl_backup_only;
 
 
         ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);