ipvs: stop ICMP from FORWARD to local (489fdeda) · Commits · e / devices / android_kernel_samsung_universal8895

net/netfilter/ipvs/ip_vs_core.c

+19 −2

Original line number	Diff line number	Diff line
		@@ -48,6 +48,7 @@
		#ifdef CONFIG_IP_VS_IPV6
		#include <net/ipv6.h>
		#include <linux/netfilter_ipv6.h>
		#include <net/ip6_route.h>
		#endif

		#include <net/ip_vs.h>
		@@ -1191,7 +1192,14 @@ ip_vs_in_icmp(struct sk_buff skb, int related, unsigned int hooknum)
		if (IPPROTO_TCP == cih->protocol \|\| IPPROTO_UDP == cih->protocol)
		offset += 2 * sizeof(__u16);
		verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
		/* do not touch skb anymore */
		/* LOCALNODE from FORWARD hook is not supported */
		if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
		skb_rtable(skb)->rt_flags & RTCF_LOCAL) {
		IP_VS_DBG(1, "%s(): "
		"local delivery to %pI4 but in FORWARD\n",
		__func__, &skb_rtable(skb)->rt_dst);
		verdict = NF_DROP;
		}

		out:
		__ip_vs_conn_put(cp);
		@@ -1212,6 +1220,7 @@ ip_vs_in_icmp_v6(struct sk_buff skb, int related, unsigned int hooknum)
		struct ip_vs_protocol *pp;
		unsigned int offset, verdict;
		union nf_inet_addr snet;
		struct rt6_info *rt;

		*related = 1;

		@@ -1290,7 +1299,15 @@ ip_vs_in_icmp_v6(struct sk_buff skb, int related, unsigned int hooknum)
		IPPROTO_SCTP == cih->nexthdr)
		offset += 2 * sizeof(__u16);
		verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
		/* do not touch skb anymore */
		/* LOCALNODE from FORWARD hook is not supported */
		if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
		(rt = (struct rt6_info *) skb_dst(skb)) &&
		rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK) {
		IP_VS_DBG(1, "%s(): "
		"local delivery to %pI6 but in FORWARD\n",
		__func__, &rt->rt6i_dst);
		verdict = NF_DROP;
		}

		__ip_vs_conn_put(cp);