releases/3.10.73/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 579eb62ac35845686a7c4286c0a820b4eb1f96aa Mon Sep 17 00:00:00 2001
 From: Julian Anastasov <ja@ssi.bg>
 Date: Thu, 18 Dec 2014 22:41:23 +0200
 Subject: ipvs: rerouting to local clients is not needed anymore

 From: Julian Anastasov <ja@ssi.bg>

 commit 579eb62ac35845686a7c4286c0a820b4eb1f96aa upstream.

 commit f5a41847acc5 ("ipvs: move ip_route_me_harder for ICMP")
 from 2.6.37 introduced ip_route_me_harder() call for responses to
 local clients, so that we can provide valid rt_src after SNAT.
 It was used by TCP to provide valid daddr for ip_send_reply().
 After commit 0a5ebb8000c5 ("ipv4: Pass explicit daddr arg to
 ip_send_reply()." from 3.0 this rerouting is not needed anymore
 and should be avoided, especially in LOCAL_IN.

 Fixes 3.12.33 crash in xfrm reported by Florian Wiessner:
 "3.12.33 - BUG xfrm_selector_match+0x25/0x2f6"

 Reported-by: Smart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
 Tested-by: Smart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
 Signed-off-by: Julian Anastasov <ja@ssi.bg>
 Signed-off-by: Simon Horman <horms@verge.net.au>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/netfilter/ipvs/ip_vs_core.c |   33 ++++++++++++++++++++++-----------
  1 file changed, 22 insertions(+), 11 deletions(-)

 --- a/net/netfilter/ipvs/ip_vs_core.c
 +++ b/net/netfilter/ipvs/ip_vs_core.c
 @@ -650,16 +650,24 @@ static inline int ip_vs_gather_frags(str
  	return err;
  }

 -static int ip_vs_route_me_harder(int af, struct sk_buff *skb)
 +static int ip_vs_route_me_harder(int af, struct sk_buff *skb,
 +				 unsigned int hooknum)
  {
 +	if (!sysctl_snat_reroute(skb))
 +		return 0;
 +	/* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */
 +	if (NF_INET_LOCAL_IN == hooknum)
 +		return 0;
  #ifdef CONFIG_IP_VS_IPV6
  	if (af == AF_INET6) {
 -		if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0)
 +		struct dst_entry *dst = skb_dst(skb);
 +
 +		if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
 +		    ip6_route_me_harder(skb) != 0)
  			return 1;
  	} else
  #endif
 -		if ((sysctl_snat_reroute(skb) ||
 -		     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
 +		if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
  		    ip_route_me_harder(skb, RTN_LOCAL) != 0)
  			return 1;

 @@ -782,7 +790,8 @@ static int handle_response_icmp(int af,
  				union nf_inet_addr *snet,
  				__u8 protocol, struct ip_vs_conn *cp,
  				struct ip_vs_protocol *pp,
 -				unsigned int offset, unsigned int ihl)
 +				unsigned int offset, unsigned int ihl,
 +				unsigned int hooknum)
  {
  	unsigned int verdict = NF_DROP;

 @@ -812,7 +821,7 @@ static int handle_response_icmp(int af,
  #endif
  		ip_vs_nat_icmp(skb, pp, cp, 1);

 -	if (ip_vs_route_me_harder(af, skb))
 +	if (ip_vs_route_me_harder(af, skb, hooknum))
  		goto out;

  	/* do the statistics and put it back */
 @@ -907,7 +916,7 @@ static int ip_vs_out_icmp(struct sk_buff

  	snet.ip = iph->saddr;
  	return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
 -				    pp, ciph.len, ihl);
 +				    pp, ciph.len, ihl, hooknum);
  }

  #ifdef CONFIG_IP_VS_IPV6
 @@ -972,7 +981,8 @@ static int ip_vs_out_icmp_v6(struct sk_b
  	snet.in6 = ciph.saddr.in6;
  	writable = ciph.len;
  	return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp,
 -				    pp, writable, sizeof(struct ipv6hdr));
 +				    pp, writable, sizeof(struct ipv6hdr),
 +				    hooknum);
  }
  #endif

 @@ -1031,7 +1041,8 @@ static inline bool is_new_conn(const str
   */
  static unsigned int
  handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
 -		struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
 +		struct ip_vs_conn *cp, struct ip_vs_iphdr *iph,
 +		unsigned int hooknum)
  {
  	struct ip_vs_protocol *pp = pd->pp;

 @@ -1069,7 +1080,7 @@ handle_response(int af, struct sk_buff *
  	 * if it came from this machine itself.  So re-compute
  	 * the routing information.
  	 */
 -	if (ip_vs_route_me_harder(af, skb))
 +	if (ip_vs_route_me_harder(af, skb, hooknum))
  		goto drop;

  	IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
 @@ -1172,7 +1183,7 @@ ip_vs_out(unsigned int hooknum, struct s
  	cp = pp->conn_out_get(af, skb, &iph, 0);

  	if (likely(cp))
 -		return handle_response(af, skb, pd, cp, &iph);
 +		return handle_response(af, skb, pd, cp, &iph, hooknum);
  	if (sysctl_nat_icmp_send(net) &&
  	    (pp->protocol == IPPROTO_TCP ||
  	     pp->protocol == IPPROTO_UDP ||
	From 579eb62ac35845686a7c4286c0a820b4eb1f96aa Mon Sep 17 00:00:00 2001
	From: Julian Anastasov <ja@ssi.bg>
	Date: Thu, 18 Dec 2014 22:41:23 +0200
	Subject: ipvs: rerouting to local clients is not needed anymore

	From: Julian Anastasov <ja@ssi.bg>

	commit 579eb62ac35845686a7c4286c0a820b4eb1f96aa upstream.

	commit f5a41847acc5 ("ipvs: move ip_route_me_harder for ICMP")
	from 2.6.37 introduced ip_route_me_harder() call for responses to
	local clients, so that we can provide valid rt_src after SNAT.
	It was used by TCP to provide valid daddr for ip_send_reply().
	After commit 0a5ebb8000c5 ("ipv4: Pass explicit daddr arg to
	ip_send_reply()." from 3.0 this rerouting is not needed anymore
	and should be avoided, especially in LOCAL_IN.

	Fixes 3.12.33 crash in xfrm reported by Florian Wiessner:
	"3.12.33 - BUG xfrm_selector_match+0x25/0x2f6"

	Reported-by: Smart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
	Tested-by: Smart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
	Signed-off-by: Julian Anastasov <ja@ssi.bg>
	Signed-off-by: Simon Horman <horms@verge.net.au>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/netfilter/ipvs/ip_vs_core.c \| 33 ++++++++++++++++++++++-----------
	1 file changed, 22 insertions(+), 11 deletions(-)

	--- a/net/netfilter/ipvs/ip_vs_core.c
	+++ b/net/netfilter/ipvs/ip_vs_core.c
	@@ -650,16 +650,24 @@ static inline int ip_vs_gather_frags(str
	return err;
	}

	-static int ip_vs_route_me_harder(int af, struct sk_buff *skb)
	+static int ip_vs_route_me_harder(int af, struct sk_buff *skb,
	+ unsigned int hooknum)
	{
	+ if (!sysctl_snat_reroute(skb))
	+ return 0;
	+ /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */
	+ if (NF_INET_LOCAL_IN == hooknum)
	+ return 0;
	#ifdef CONFIG_IP_VS_IPV6
	if (af == AF_INET6) {
	- if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0)
	+ struct dst_entry *dst = skb_dst(skb);
	+
	+ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
	+ ip6_route_me_harder(skb) != 0)
	return 1;
	} else
	#endif
	- if ((sysctl_snat_reroute(skb) \|\|
	- skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
	+ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
	ip_route_me_harder(skb, RTN_LOCAL) != 0)
	return 1;

	@@ -782,7 +790,8 @@ static int handle_response_icmp(int af,
	union nf_inet_addr *snet,
	__u8 protocol, struct ip_vs_conn *cp,
	struct ip_vs_protocol *pp,
	- unsigned int offset, unsigned int ihl)
	+ unsigned int offset, unsigned int ihl,
	+ unsigned int hooknum)
	{
	unsigned int verdict = NF_DROP;

	@@ -812,7 +821,7 @@ static int handle_response_icmp(int af,
	#endif
	ip_vs_nat_icmp(skb, pp, cp, 1);

	- if (ip_vs_route_me_harder(af, skb))
	+ if (ip_vs_route_me_harder(af, skb, hooknum))
	goto out;

	/* do the statistics and put it back */
	@@ -907,7 +916,7 @@ static int ip_vs_out_icmp(struct sk_buff

	snet.ip = iph->saddr;
	return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
	- pp, ciph.len, ihl);
	+ pp, ciph.len, ihl, hooknum);
	}

	#ifdef CONFIG_IP_VS_IPV6
	@@ -972,7 +981,8 @@ static int ip_vs_out_icmp_v6(struct sk_b
	snet.in6 = ciph.saddr.in6;
	writable = ciph.len;
	return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp,
	- pp, writable, sizeof(struct ipv6hdr));
	+ pp, writable, sizeof(struct ipv6hdr),
	+ hooknum);
	}
	#endif

	@@ -1031,7 +1041,8 @@ static inline bool is_new_conn(const str
	*/
	static unsigned int
	handle_response(int af, struct sk_buff skb, struct ip_vs_proto_data pd,
	- struct ip_vs_conn cp, struct ip_vs_iphdr iph)
	+ struct ip_vs_conn cp, struct ip_vs_iphdr iph,
	+ unsigned int hooknum)
	{
	struct ip_vs_protocol *pp = pd->pp;

	@@ -1069,7 +1080,7 @@ handle_response(int af, struct sk_buff *
	* if it came from this machine itself. So re-compute
	* the routing information.
	*/
	- if (ip_vs_route_me_harder(af, skb))
	+ if (ip_vs_route_me_harder(af, skb, hooknum))
	goto drop;

	IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
	@@ -1172,7 +1183,7 @@ ip_vs_out(unsigned int hooknum, struct s
	cp = pp->conn_out_get(af, skb, &iph, 0);

	if (likely(cp))
	- return handle_response(af, skb, pd, cp, &iph);
	+ return handle_response(af, skb, pd, cp, &iph, hooknum);
	if (sysctl_nat_icmp_send(net) &&
	(pp->protocol == IPPROTO_TCP \|\|
	pp->protocol == IPPROTO_UDP \|\|