git.openwrt.org Git - openwrt/staging/blogic.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 16 Feb 2015 17:54:04 +0000 (18:54 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 3 Mar 2015 01:10:35 +0000 (02:10 +0100)
commit	ee586bbc28fb7128133457cf711880d13a3b7ce4
tree	d1e1991b5d622b588c11608b9164499a96869e51	tree \| snapshot
parent	b898441f4ece44933af90b116b467f7864dd1ae7	commit \| diff

netfilter: reject: don't send icmp error if csum is invalid

tcp resets are never emitted if the packet that triggers the
reject/reset has an invalid checksum.

For icmp error responses there was no such check.
It allows to distinguish icmp response generated via

iptables -I INPUT -p udp --dport 42 -j REJECT

and those emitted by network stack (won't respond if csum is invalid,
REJECT does).

Arguably its possible to avoid this by using conntrack and only
using REJECT with -m conntrack NEW/RELATED.

However, this doesn't work when connection tracking is not in use
or when using nf_conntrack_checksum=0.

Furthermore, sending errors in response to invalid csums doesn't make
much sense so just add similar test as in nf_send_reset.

Validate csum if needed and only send the response if it is ok.

Reference: http://bugzilla.redhat.com/show_bug.cgi?id=1169829
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/ipv4/nf_reject.h		diff \| blob \| history
include/net/netfilter/ipv6/nf_reject.h		diff \| blob \| history
net/ipv4/netfilter/ipt_REJECT.c		diff \| blob \| history
net/ipv4/netfilter/nf_reject_ipv4.c		diff \| blob \| history
net/ipv4/netfilter/nft_reject_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_reject_ipv6.c		diff \| blob \| history
net/netfilter/nft_reject_inet.c		diff \| blob \| history