projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 986c210) | patch
netfilter: reject: skip csum verification for protocols that don't support it
authorAlin Nastac <alin.nastac@gmail.com>
Wed, 13 Feb 2019 08:14:53 +0000 (09:14 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 13 Feb 2019 09:03:53 +0000 (10:03 +0100)
commit1ce66f4913fd331d10fd5838788b4a2c7ef171b0
treee0a67965b1a12cb5d3aac2f0720cbae18e84c111tree | snapshot
parent986c210b9289d84c9815d009fbb6d5e8b14f4ef2commit | diff
netfilter: reject: skip csum verification for protocols that don't support it

Some protocols have other means to verify the payload integrity
(AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum
implementation because checksum is either optional or might be
partial (UDPLITE, DCCP, GRE). Because nf_ip(6)_checksum was used
to validate the packets, ip(6)tables REJECT rules were not capable
to generate ICMP(v6) errors for the protocols mentioned above.

This commit also fixes the incorrect pseudo-header protocol used
for IPv4 packets that carry other transport protocols than TCP or
UDP (pseudo-header used protocol 0 iso the proper value).

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/ipv4/nf_reject.h diff | blob | history
include/net/netfilter/ipv6/nf_reject.h diff | blob | history
include/net/netfilter/nf_reject.h [new file with mode: 0644] blob
net/bridge/netfilter/nft_reject_bridge.c diff | blob | history
net/ipv4/netfilter/nf_reject_ipv4.c diff | blob | history
net/ipv6/netfilter/nf_reject_ipv6.c diff | blob | history
Linux Kernel Source Tree.