voidanix
/
android_kernel_lge_bullhead
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
android_kernel_lge_bullhead/net/netfilter/ipvs
History
Julian Anastasov f0dce90508 ipvs: SNAT packet replies only for NATed connections 
commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b upstream.

We do not check if packet from real server is for NAT
connection before performing SNAT. This causes problems
for setups that use DR/TUN and allow local clients to
access the real server directly, for example:

- local client in director creates IPVS-DR/TUN connection
CIP->VIP and the request packets are routed to RIP.
Talks are finished but IPVS connection is not expired yet.

- second local client creates non-IPVS connection CIP->RIP
with same reply tuple RIP->CIP and when replies are received
on LOCAL_IN we wrongly assign them for the first client
connection because RIP->CIP matches the reply direction.
As result, IPVS SNATs replies for non-IPVS connections.

The problem is more visible to local UDP clients but in rare
cases it can happen also for TCP or remote clients when the
real server sends the reply traffic via the director.

So, better to be more precise for the reply traffic.
As replies are not expected for DR/TUN connections, better
to not touch them.

Reported-by: Nick Moriarty <nick.moriarty@york.ac.uk>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Willy Tarreau <w@1wt.eu>
 		2017-11-01 22:12:41 +01:00
..
Kconfig ipvs: Complete IPv6 fragment handling for IPVS 2012-09-28 11:34:24 +09:00
Makefile IPVS: sip persistence engine 2010-10-04 22:45:24 +09:00
ip_vs_app.c ipvs: do not disable bh for long time 2013-04-02 00:23:58 +02:00
ip_vs_conn.c ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack 2014-10-05 14:54:14 -07:00
ip_vs_core.c ipvs: SNAT packet replies only for NATed connections 2017-11-01 22:12:41 +01:00
ip_vs_ctl.c ipvs: info leak in __ip_vs_get_dest_entries() 2013-06-10 14:53:00 +02:00
ip_vs_dh.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_est.c ipvs: fix some sparse warnings 2013-03-19 21:18:38 +09:00
ip_vs_ftp.c ipvs: uninitialized data with IP_VS_IPV6 2015-01-29 17:40:56 -08:00
ip_vs_lblc.c ipvs: fix sparse warnings in lblc and lblcr 2013-04-23 11:43:05 +09:00
ip_vs_lblcr.c ipvs: fix sparse warnings in lblc and lblcr 2013-04-23 11:43:05 +09:00
ip_vs_lc.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_nfct.c ipvs: remove silly double assignment 2012-10-28 22:50:51 +01:00
ip_vs_nq.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_pe.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_pe_sip.c ipvs: correct initial offset of Call-ID header search in SIP persistence engine 2016-06-07 10:42:52 +02:00
ip_vs_proto.c ipvs: Trivial changes, use compressed IPv6 address in output 2012-09-28 11:33:52 +09:00
ip_vs_proto_ah_esp.c ipvs: API change to avoid rescan of IPv6 exthdr 2012-09-28 11:34:33 +09:00
ip_vs_proto_sctp.c ipvs: off by one in set_sctp_state() 2013-04-23 11:43:06 +09:00
ip_vs_proto_tcp.c ipvs: count pre-established TCP states as active 2017-02-10 11:03:48 +01:00
ip_vs_proto_udp.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_rr.c ipvs: do not disable bh for long time 2013-04-02 00:23:58 +02:00
ip_vs_sched.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_sed.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_sh.c ipvs: ip_vs_sh: fix build 2013-05-29 17:50:39 +02:00
ip_vs_sync.c ipvs: fix crash with sync protocol v0 and FTP 2015-10-22 14:37:51 -07:00
ip_vs_wlc.c ipvs: convert services to rcu 2013-04-02 00:23:58 +02:00
ip_vs_wrr.c ipvs: do not disable bh for long time 2013-04-02 00:23:58 +02:00
ip_vs_xmit.c ipvs: do not use random local source address for tunnels 2015-10-22 14:37:51 -07:00