forked from Minki/linux
3c5ab3f395
We do not check if packet from real server is for NAT connection before performing SNAT. This causes problems for setups that use DR/TUN and allow local clients to access the real server directly, for example: - local client in director creates IPVS-DR/TUN connection CIP->VIP and the request packets are routed to RIP. Talks are finished but IPVS connection is not expired yet. - second local client creates non-IPVS connection CIP->RIP with same reply tuple RIP->CIP and when replies are received on LOCAL_IN we wrongly assign them for the first client connection because RIP->CIP matches the reply direction. As result, IPVS SNATs replies for non-IPVS connections. The problem is more visible to local UDP clients but in rare cases it can happen also for TCP or remote clients when the real server sends the reply traffic via the director. So, better to be more precise for the reply traffic. As replies are not expected for DR/TUN connections, better to not touch them. Reported-by: Nick Moriarty <nick.moriarty@york.ac.uk> Tested-by: Nick Moriarty <nick.moriarty@york.ac.uk> Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> |
||
---|---|---|
.. | ||
ip_vs_app.c | ||
ip_vs_conn.c | ||
ip_vs_core.c | ||
ip_vs_ctl.c | ||
ip_vs_dh.c | ||
ip_vs_est.c | ||
ip_vs_fo.c | ||
ip_vs_ftp.c | ||
ip_vs_lblc.c | ||
ip_vs_lblcr.c | ||
ip_vs_lc.c | ||
ip_vs_nfct.c | ||
ip_vs_nq.c | ||
ip_vs_ovf.c | ||
ip_vs_pe_sip.c | ||
ip_vs_pe.c | ||
ip_vs_proto_ah_esp.c | ||
ip_vs_proto_sctp.c | ||
ip_vs_proto_tcp.c | ||
ip_vs_proto_udp.c | ||
ip_vs_proto.c | ||
ip_vs_rr.c | ||
ip_vs_sched.c | ||
ip_vs_sed.c | ||
ip_vs_sh.c | ||
ip_vs_sync.c | ||
ip_vs_wlc.c | ||
ip_vs_wrr.c | ||
ip_vs_xmit.c | ||
Kconfig | ||
Makefile |