On 6/26/19 11:00 AM, Bruce Ashfield wrote:
> On Tue, Jun 25, 2019 at 6:15 AM <zhe...@windriver.com> wrote:
>> From: He Zhe <zhe...@windriver.com>
>>
>> Since v5.1-rc1, some types of packets do not get unreachable reply with the
>> following iptables setting. Fox example,
> So what's the upstream status of this ? (I haven't checked netdev yet).

It hasn't got reply yet. Maybe will be handled in next version.
https://lore.kernel.org/lkml/1561346258-272481-1-git-send-email-zhe...@windriver.com/

Zhe

>
> Bruce
>
>> $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
>> $ ping 127.0.0.1 -c 1
>> PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
>> — 127.0.0.1 ping statistics —
>> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>>
>> We should have got the following reply from command line, but we did not.
>> From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
>>
>> Yi Zhao reported it and narrowed it down to:
>> 7fc38225363d ("netfilter: reject: skip csum verification for protocols that 
>> don't support it"),
>>
>> This is because nf_ip_checksum still expects pseudo-header protocol type 0 
>> for
>> packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
>> treated as TCP/UDP.
>>
>> This patch corrects the conditions in nf_ip_checksum and all other places 
>> that
>> still call it with protocol 0.
>>
>> Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for 
>> protocols that don't support it")
>> Reported-by: Yi Zhao <yi.z...@windriver.com>
>> Signed-off-by: He Zhe <zhe...@windriver.com>
>> ---
>> This has been sent to upstream and would probably be handled next around. 
>> It's
>> worth merging it before that.
>>
>>  net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
>>  net/netfilter/nf_nat_proto.c            | 2 +-
>>  net/netfilter/utils.c                   | 5 +++--
>>  3 files changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/netfilter/nf_conntrack_proto_icmp.c 
>> b/net/netfilter/nf_conntrack_proto_icmp.c
>> index a824367..dd53e2b 100644
>> --- a/net/netfilter/nf_conntrack_proto_icmp.c
>> +++ b/net/netfilter/nf_conntrack_proto_icmp.c
>> @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
>>         /* See ip_conntrack_proto_tcp.c */
>>         if (state->net->ct.sysctl_checksum &&
>>             state->hook == NF_INET_PRE_ROUTING &&
>> -           nf_ip_checksum(skb, state->hook, dataoff, 0)) {
>> +           nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
>>                 icmp_error_log(skb, state, "bad hw icmp checksum");
>>                 return -NF_ACCEPT;
>>         }
>> diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
>> index 07da077..83a24cc 100644
>> --- a/net/netfilter/nf_nat_proto.c
>> +++ b/net/netfilter/nf_nat_proto.c
>> @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
>>
>>         if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
>>                 return 0;
>> -       if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
>> +       if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
>>                 return 0;
>>
>>         inside = (void *)skb->data + hdrlen;
>> diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
>> index 06dc555..51b454d 100644
>> --- a/net/netfilter/utils.c
>> +++ b/net/netfilter/utils.c
>> @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int 
>> hook,
>>         case CHECKSUM_COMPLETE:
>>                 if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
>>                         break;
>> -               if ((protocol == 0 && !csum_fold(skb->csum)) ||
>> +               if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
>> +                   !csum_fold(skb->csum)) ||
>>                     !csum_tcpudp_magic(iph->saddr, iph->daddr,
>>                                        skb->len - dataoff, protocol,
>>                                        skb->csum)) {
>> @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int 
>> hook,
>>                 }
>>                 /* fall through */
>>         case CHECKSUM_NONE:
>> -               if (protocol == 0)
>> +               if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
>>                         skb->csum = 0;
>>                 else
>>                         skb->csum = csum_tcpudp_nofold(iph->saddr, 
>> iph->daddr,
>> --
>> 2.7.4
>>
>

-- 
_______________________________________________
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto

Reply via email to