Merge tag 'ipvs-for-v4.4' of https://git.kernel.org/pub/scm/linux/kernel/git/horms...

Simon Horman says:

====================
IPVS Updates for v4.4

please consider these IPVS Updates for v4.4.

The updates include the following from Alex Gartrell:
* Scheduling of ICMP
* Sysctl to ignore tunneled packets; and hence some packet-looping scenarios
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --combined net/netfilter/ipvs/ip_vs_xmit.c
index cc7299033af808b5acfe447227c8194d1d06b809,c5be055ae32eda8fe41ba314ba1f9ecada8e84ee..9dbb7ccadecb2603c073c610ea391b13ef83f016
--- 1/net/netfilter/ipvs/ip_vs_xmit.c
--- 2/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@@ -224,7 -224,7 +224,7 @@@ static inline bool ensure_mtu_is_adequa
                        if (!skb->dev)
                                skb->dev = net->loopback_dev;
                        /* only send ICMP too big on first fragment */
-                       if (!ipvsh->fragoffs)
+                       if (!ipvsh->fragoffs && !ip_vs_iph_icmp(ipvsh))
                                icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
                        IP_VS_DBG(1, "frag needed for %pI6c\n",
                                  &ipv6_hdr(skb)->saddr);
@@@ -242,7 -242,8 +242,8 @@@
                        return true;
  
                if (unlikely(ip_hdr(skb)->frag_off & htons(IP_DF) &&
-                            skb->len > mtu && !skb_is_gso(skb))) {
+                            skb->len > mtu && !skb_is_gso(skb) &&
+                            !ip_vs_iph_icmp(ipvsh))) {
                        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
                                  htonl(mtu));
                        IP_VS_DBG(1, "frag needed for %pI4\n",
@@@ -573,8 -574,8 +574,8 @@@ static inline int ip_vs_nat_send_or_con
                skb_forward_csum(skb);
                if (!skb->sk)
                        skb_sender_cpu_clear(skb);
 -              NF_HOOK(pf, NF_INET_LOCAL_OUT, NULL, skb,
 -                      NULL, skb_dst(skb)->dev, dst_output_sk);
 +              NF_HOOK(pf, NF_INET_LOCAL_OUT, ip_vs_conn_net(cp), NULL, skb,
 +                      NULL, skb_dst(skb)->dev, dst_output_okfn);
        } else
                ret = NF_ACCEPT;
  
@@@ -595,8 -596,8 +596,8 @@@ static inline int ip_vs_send_or_cont(in
                skb_forward_csum(skb);
                if (!skb->sk)
                        skb_sender_cpu_clear(skb);
 -              NF_HOOK(pf, NF_INET_LOCAL_OUT, NULL, skb,
 -                      NULL, skb_dst(skb)->dev, dst_output_sk);
 +              NF_HOOK(pf, NF_INET_LOCAL_OUT, ip_vs_conn_net(cp), NULL, skb,
 +                      NULL, skb_dst(skb)->dev, dst_output_okfn);
        } else
                ret = NF_ACCEPT;
        return ret;
@@@ -656,10 -657,12 +657,12 @@@ in
  ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
                     struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
  {
+       struct ipv6hdr *iph = ipv6_hdr(skb);
+ 
        EnterFunction(10);
  
        rcu_read_lock();
-       if (__ip_vs_get_out_rt_v6(cp->af, skb, NULL, &ipvsh->daddr.in6, NULL,
+       if (__ip_vs_get_out_rt_v6(cp->af, skb, NULL, &iph->daddr, NULL,
                                  ipvsh, 0, IP_VS_RT_MODE_NON_LOCAL) < 0)
                goto tx_error;
  
@@@ -723,7 -726,7 +726,7 @@@ ip_vs_nat_xmit(struct sk_buff *skb, str
                struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  
                if (ct && !nf_ct_is_untracked(ct)) {
-                       IP_VS_DBG_RL_PKT(10, AF_INET, pp, skb, 0,
+                       IP_VS_DBG_RL_PKT(10, AF_INET, pp, skb, ipvsh->off,
                                         "ip_vs_nat_xmit(): "
                                         "stopping DNAT to local address");
                        goto tx_error;
@@@ -733,8 -736,9 +736,9 @@@
  
        /* From world but DNAT to loopback address? */
        if (local && ipv4_is_loopback(cp->daddr.ip) && was_input) {
-               IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, 0, "ip_vs_nat_xmit(): "
-                                "stopping DNAT to loopback address");
+               IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, ipvsh->off,
+                                "ip_vs_nat_xmit(): stopping DNAT to loopback "
+                                "address");
                goto tx_error;
        }
  
@@@ -751,7 -755,7 +755,7 @@@
        ip_hdr(skb)->daddr = cp->daddr.ip;
        ip_send_check(ip_hdr(skb));
  
-       IP_VS_DBG_PKT(10, AF_INET, pp, skb, 0, "After DNAT");
+       IP_VS_DBG_PKT(10, AF_INET, pp, skb, ipvsh->off, "After DNAT");
  
        /* FIXME: when application helper enlarges the packet and the length
           is larger than the MTU of outgoing device, there will be still
@@@ -812,7 -816,7 +816,7 @@@ ip_vs_nat_xmit_v6(struct sk_buff *skb, 
                struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  
                if (ct && !nf_ct_is_untracked(ct)) {
-                       IP_VS_DBG_RL_PKT(10, AF_INET6, pp, skb, 0,
+                       IP_VS_DBG_RL_PKT(10, AF_INET6, pp, skb, ipvsh->off,
                                         "ip_vs_nat_xmit_v6(): "
                                         "stopping DNAT to local address");
                        goto tx_error;
@@@ -823,7 -827,7 +827,7 @@@
        /* From world but DNAT to loopback address? */
        if (local && skb->dev && !(skb->dev->flags & IFF_LOOPBACK) &&
            ipv6_addr_type(&cp->daddr.in6) & IPV6_ADDR_LOOPBACK) {
-               IP_VS_DBG_RL_PKT(1, AF_INET6, pp, skb, 0,
+               IP_VS_DBG_RL_PKT(1, AF_INET6, pp, skb, ipvsh->off,
                                 "ip_vs_nat_xmit_v6(): "
                                 "stopping DNAT to loopback address");
                goto tx_error;
@@@ -841,7 -845,7 +845,7 @@@
                goto tx_error;
        ipv6_hdr(skb)->daddr = cp->daddr.in6;
  
-       IP_VS_DBG_PKT(10, AF_INET6, pp, skb, 0, "After DNAT");
+       IP_VS_DBG_PKT(10, AF_INET6, pp, skb, ipvsh->off, "After DNAT");
  
        /* FIXME: when application helper enlarges the packet and the length
           is larger than the MTU of outgoing device, there will be still