On Tue, Jun 25, 2019 at 11:00 PM Bruce Ashfield
<bruce.ashfi...@gmail.com> wrote:
>
> On Tue, Jun 25, 2019 at 6:15 AM <zhe...@windriver.com> wrote:
> >
> > From: He Zhe <zhe...@windriver.com>
> >
> > Since v5.1-rc1, some types of packets do not get unreachable reply with the
> > following iptables setting. Fox example,
>
> So what's the upstream status of this ? (I haven't checked netdev yet).
>

I should have just checked and saved an email. I found your submission
of the change, but don't see any feedback. I'll follow along on netdev
and see where it goes.

Bruce

> Bruce
>
> >
> > $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
> > $ ping 127.0.0.1 -c 1
> > PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> > — 127.0.0.1 ping statistics —
> > 1 packets transmitted, 0 received, 100% packet loss, time 0ms
> >
> > We should have got the following reply from command line, but we did not.
> > From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
> >
> > Yi Zhao reported it and narrowed it down to:
> > 7fc38225363d ("netfilter: reject: skip csum verification for protocols that 
> > don't support it"),
> >
> > This is because nf_ip_checksum still expects pseudo-header protocol type 0 
> > for
> > packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
> > treated as TCP/UDP.
> >
> > This patch corrects the conditions in nf_ip_checksum and all other places 
> > that
> > still call it with protocol 0.
> >
> > Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for 
> > protocols that don't support it")
> > Reported-by: Yi Zhao <yi.z...@windriver.com>
> > Signed-off-by: He Zhe <zhe...@windriver.com>
> > ---
> > This has been sent to upstream and would probably be handled next around. 
> > It's
> > worth merging it before that.
> >
> >  net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
> >  net/netfilter/nf_nat_proto.c            | 2 +-
> >  net/netfilter/utils.c                   | 5 +++--
> >  3 files changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_proto_icmp.c 
> > b/net/netfilter/nf_conntrack_proto_icmp.c
> > index a824367..dd53e2b 100644
> > --- a/net/netfilter/nf_conntrack_proto_icmp.c
> > +++ b/net/netfilter/nf_conntrack_proto_icmp.c
> > @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
> >         /* See ip_conntrack_proto_tcp.c */
> >         if (state->net->ct.sysctl_checksum &&
> >             state->hook == NF_INET_PRE_ROUTING &&
> > -           nf_ip_checksum(skb, state->hook, dataoff, 0)) {
> > +           nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
> >                 icmp_error_log(skb, state, "bad hw icmp checksum");
> >                 return -NF_ACCEPT;
> >         }
> > diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
> > index 07da077..83a24cc 100644
> > --- a/net/netfilter/nf_nat_proto.c
> > +++ b/net/netfilter/nf_nat_proto.c
> > @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
> >
> >         if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
> >                 return 0;
> > -       if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
> > +       if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
> >                 return 0;
> >
> >         inside = (void *)skb->data + hdrlen;
> > diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
> > index 06dc555..51b454d 100644
> > --- a/net/netfilter/utils.c
> > +++ b/net/netfilter/utils.c
> > @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int 
> > hook,
> >         case CHECKSUM_COMPLETE:
> >                 if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
> >                         break;
> > -               if ((protocol == 0 && !csum_fold(skb->csum)) ||
> > +               if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
> > +                   !csum_fold(skb->csum)) ||
> >                     !csum_tcpudp_magic(iph->saddr, iph->daddr,
> >                                        skb->len - dataoff, protocol,
> >                                        skb->csum)) {
> > @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int 
> > hook,
> >                 }
> >                 /* fall through */
> >         case CHECKSUM_NONE:
> > -               if (protocol == 0)
> > +               if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
> >                         skb->csum = 0;
> >                 else
> >                         skb->csum = csum_tcpudp_nofold(iph->saddr, 
> > iph->daddr,
> > --
> > 2.7.4
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II



-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
-- 
_______________________________________________
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto

Reply via email to