git.baikalelectronics.ru Git - kernel.git/commit

author	Alin Nastac <alin.nastac@gmail.com>
	Wed, 13 Feb 2019 08:14:53 +0000 (09:14 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 13 Feb 2019 09:03:53 +0000 (10:03 +0100)
commit	7fc38225363dd8f19e667ad7c77b63bc4a5c065d
tree	e0a67965b1a12cb5d3aac2f0720cbae18e84c111	tree \| snapshot
parent	13f5251fd17088170c18844534682d9cab5ff5aa	commit \| diff

netfilter: reject: skip csum verification for protocols that don't support it

Some protocols have other means to verify the payload integrity
(AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum
implementation because checksum is either optional or might be
partial (UDPLITE, DCCP, GRE). Because nf_ip(6)_checksum was used
to validate the packets, ip(6)tables REJECT rules were not capable
to generate ICMP(v6) errors for the protocols mentioned above.

This commit also fixes the incorrect pseudo-header protocol used
for IPv4 packets that carry other transport protocols than TCP or
UDP (pseudo-header used protocol 0 iso the proper value).

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/ipv4/nf_reject.h		diff \| blob \| history
include/net/netfilter/ipv6/nf_reject.h		diff \| blob \| history
include/net/netfilter/nf_reject.h	[new file with mode: 0644]	blob
net/bridge/netfilter/nft_reject_bridge.c		diff \| blob \| history
net/ipv4/netfilter/nf_reject_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_reject_ipv6.c		diff \| blob \| history