aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorJulian Anastasov <ja@ssi.bg>2010-10-17 09:35:46 -0400
committerSimon Horman <horms@verge.net.au>2010-10-21 04:51:43 -0400
commitf5a41847acc535e2e2018e397b1876ba7577d9d9 (patch)
tree319e371c22e2b9f82bafa4c23b364fdfd64a916b /net/netfilter
parent1ca5bb5450aa2401fa272efeb741ebb260d0fbb0 (diff)
ipvs: move ip_route_me_harder for ICMP
Currently, ip_route_me_harder after ip_vs_out_icmp is called even if packet is not related to IPVS connection. Move it into handle_response_icmp. Also, force rerouting if sending to local client because IPv4 stack uses addresses from the route. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/ipvs/ip_vs_core.c41
1 files changed, 21 insertions, 20 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index f7f52831c4a6..c4f091d5a628 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -702,6 +702,17 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
702#endif 702#endif
703 ip_vs_nat_icmp(skb, pp, cp, 1); 703 ip_vs_nat_icmp(skb, pp, cp, 1);
704 704
705#ifdef CONFIG_IP_VS_IPV6
706 if (af == AF_INET6) {
707 if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
708 goto out;
709 } else
710#endif
711 if ((sysctl_ip_vs_snat_reroute ||
712 skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
713 ip_route_me_harder(skb, RTN_LOCAL) != 0)
714 goto out;
715
705 /* do the statistics and put it back */ 716 /* do the statistics and put it back */
706 ip_vs_out_stats(cp, skb); 717 ip_vs_out_stats(cp, skb);
707 718
@@ -940,16 +951,16 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
940 * if it came from this machine itself. So re-compute 951 * if it came from this machine itself. So re-compute
941 * the routing information. 952 * the routing information.
942 */ 953 */
943 if (sysctl_ip_vs_snat_reroute) {
944#ifdef CONFIG_IP_VS_IPV6 954#ifdef CONFIG_IP_VS_IPV6
945 if (af == AF_INET6) { 955 if (af == AF_INET6) {
946 if (ip6_route_me_harder(skb) != 0) 956 if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
947 goto drop; 957 goto drop;
948 } else 958 } else
949#endif 959#endif
950 if (ip_route_me_harder(skb, RTN_LOCAL) != 0) 960 if ((sysctl_ip_vs_snat_reroute ||
951 goto drop; 961 skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
952 } 962 ip_route_me_harder(skb, RTN_LOCAL) != 0)
963 goto drop;
953 964
954 IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT"); 965 IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
955 966
@@ -1001,13 +1012,8 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb,
1001 int verdict = ip_vs_out_icmp_v6(skb, &related, 1012 int verdict = ip_vs_out_icmp_v6(skb, &related,
1002 hooknum); 1013 hooknum);
1003 1014
1004 if (related) { 1015 if (related)
1005 if (sysctl_ip_vs_snat_reroute &&
1006 NF_ACCEPT == verdict &&
1007 ip6_route_me_harder(skb))
1008 verdict = NF_DROP;
1009 return verdict; 1016 return verdict;
1010 }
1011 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); 1017 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1012 } 1018 }
1013 } else 1019 } else
@@ -1016,13 +1022,8 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb,
1016 int related; 1022 int related;
1017 int verdict = ip_vs_out_icmp(skb, &related, hooknum); 1023 int verdict = ip_vs_out_icmp(skb, &related, hooknum);
1018 1024
1019 if (related) { 1025 if (related)
1020 if (sysctl_ip_vs_snat_reroute &&
1021 NF_ACCEPT == verdict &&
1022 ip_route_me_harder(skb, RTN_LOCAL))
1023 verdict = NF_DROP;
1024 return verdict; 1026 return verdict;
1025 }
1026 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph); 1027 ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
1027 } 1028 }
1028 1029
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-24 22:29:41 -0500