| Message ID | 20180602185215.17097-1-ja@ssi.bg |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [net] ipvs: fix check on xmit to non-local addresses | expand |
On Sat, Jun 02, 2018 at 09:52:15PM +0300, Julian Anastasov wrote: > There is mistake in the rt_mode_allow_non_local assignment. > It should be used to check if sending to non-local addresses is > allowed, now it checks if local addresses are allowed. > > As local addresses are allowed for most of the cases, the only > places that are affected are for traffic to transparent cache > servers: > > - bypass connections when cache server is not available > - related ICMP in FORWARD hook when sent to cache server > > Fixes: 4a4739d56b00 ("ipvs: Pull out crosses_local_route_boundary logic") > Signed-off-by: Julian Anastasov <ja@ssi.bg> Acked-by: Simon Horman <horms@verge.net.au> Pablo, if its not too much trouble please take this into nf. > --- > net/netfilter/ipvs/ip_vs_xmit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c > index 4527921..8f7fff7 100644 > --- a/net/netfilter/ipvs/ip_vs_xmit.c > +++ b/net/netfilter/ipvs/ip_vs_xmit.c > @@ -168,7 +168,7 @@ static inline bool crosses_local_route_boundary(int skb_af, struct sk_buff *skb, > bool new_rt_is_local) > { > bool rt_mode_allow_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL); > - bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL); > + bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_NON_LOCAL); > bool rt_mode_allow_redirect = !!(rt_mode & IP_VS_RT_MODE_RDR); > bool source_is_loopback; > bool old_rt_is_local; > -- > 2.9.5 > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jun 02, 2018 at 09:52:15PM +0300, Julian Anastasov wrote: > There is mistake in the rt_mode_allow_non_local assignment. > It should be used to check if sending to non-local addresses is > allowed, now it checks if local addresses are allowed. > > As local addresses are allowed for most of the cases, the only > places that are affected are for traffic to transparent cache > servers: > > - bypass connections when cache server is not available > - related ICMP in FORWARD hook when sent to cache server Applied, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c index 4527921..8f7fff7 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c @@ -168,7 +168,7 @@ static inline bool crosses_local_route_boundary(int skb_af, struct sk_buff *skb, bool new_rt_is_local) { bool rt_mode_allow_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL); - bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL); + bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_NON_LOCAL); bool rt_mode_allow_redirect = !!(rt_mode & IP_VS_RT_MODE_RDR); bool source_is_loopback; bool old_rt_is_local;
There is mistake in the rt_mode_allow_non_local assignment. It should be used to check if sending to non-local addresses is allowed, now it checks if local addresses are allowed. As local addresses are allowed for most of the cases, the only places that are affected are for traffic to transparent cache servers: - bypass connections when cache server is not available - related ICMP in FORWARD hook when sent to cache server Fixes: 4a4739d56b00 ("ipvs: Pull out crosses_local_route_boundary logic") Signed-off-by: Julian Anastasov <ja@ssi.bg> --- net/netfilter/ipvs/ip_vs_xmit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)