git.baikalelectronics.ru Git - kernel.git/commit

author	Davide Caratti <dcaratti@redhat.com>
	Mon, 2 Jan 2017 12:29:41 +0000 (13:29 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 5 Jan 2017 12:24:47 +0000 (13:24 +0100)
commit	8c6e77d0f3a569c4a965f1fa6d5a624a938da4fc
tree	a5be2ddeaced82169b7d05c0846c9ad306df4390	tree \| snapshot
parent	fb91e6cda0191f94990b8c4bb4be4cad0aec2724	commit \| diff

netfilter: conntrack: validate SCTP crc32c in PREROUTING

implement sctp_error to let nf_conntrack_in validate crc32c on the packet
transport header. Assign skb->ip_summed to CHECKSUM_UNNECESSARY and return
NF_ACCEPT in case of successful validation; otherwise, return -NF_ACCEPT to
let netfilter skip connection tracking, like other protocols do.

Besides preventing corrupted packets from matching conntrack entries, this
fixes functionality of REJECT target: it was not generating any ICMP upon
reception of SCTP packets, because it was computing RFC 1624 checksum on
the packet and systematically mismatching crc32c in the SCTP header.

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>