On 6/26/19 11:00 AM, Bruce Ashfield wrote: > On Tue, Jun 25, 2019 at 6:15 AM <[email protected]> wrote: >> From: He Zhe <[email protected]> >> >> Since v5.1-rc1, some types of packets do not get unreachable reply with the >> following iptables setting. Fox example, > So what's the upstream status of this ? (I haven't checked netdev yet).
It hasn't got reply yet. Maybe will be handled in next version. https://lore.kernel.org/lkml/[email protected]/ Zhe > > Bruce > >> $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT >> $ ping 127.0.0.1 -c 1 >> PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. >> — 127.0.0.1 ping statistics — >> 1 packets transmitted, 0 received, 100% packet loss, time 0ms >> >> We should have got the following reply from command line, but we did not. >> From 127.0.0.1 icmp_seq=1 Destination Port Unreachable >> >> Yi Zhao reported it and narrowed it down to: >> 7fc38225363d ("netfilter: reject: skip csum verification for protocols that >> don't support it"), >> >> This is because nf_ip_checksum still expects pseudo-header protocol type 0 >> for >> packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly >> treated as TCP/UDP. >> >> This patch corrects the conditions in nf_ip_checksum and all other places >> that >> still call it with protocol 0. >> >> Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for >> protocols that don't support it") >> Reported-by: Yi Zhao <[email protected]> >> Signed-off-by: He Zhe <[email protected]> >> --- >> This has been sent to upstream and would probably be handled next around. >> It's >> worth merging it before that. >> >> net/netfilter/nf_conntrack_proto_icmp.c | 2 +- >> net/netfilter/nf_nat_proto.c | 2 +- >> net/netfilter/utils.c | 5 +++-- >> 3 files changed, 5 insertions(+), 4 deletions(-) >> >> diff --git a/net/netfilter/nf_conntrack_proto_icmp.c >> b/net/netfilter/nf_conntrack_proto_icmp.c >> index a824367..dd53e2b 100644 >> --- a/net/netfilter/nf_conntrack_proto_icmp.c >> +++ b/net/netfilter/nf_conntrack_proto_icmp.c >> @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, >> /* See ip_conntrack_proto_tcp.c */ >> if (state->net->ct.sysctl_checksum && >> state->hook == NF_INET_PRE_ROUTING && >> - nf_ip_checksum(skb, state->hook, dataoff, 0)) { >> + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { >> icmp_error_log(skb, state, "bad hw icmp checksum"); >> return -NF_ACCEPT; >> } >> diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c >> index 07da077..83a24cc 100644 >> --- a/net/netfilter/nf_nat_proto.c >> +++ b/net/netfilter/nf_nat_proto.c >> @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, >> >> if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) >> return 0; >> - if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) >> + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) >> return 0; >> >> inside = (void *)skb->data + hdrlen; >> diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c >> index 06dc555..51b454d 100644 >> --- a/net/netfilter/utils.c >> +++ b/net/netfilter/utils.c >> @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int >> hook, >> case CHECKSUM_COMPLETE: >> if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) >> break; >> - if ((protocol == 0 && !csum_fold(skb->csum)) || >> + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && >> + !csum_fold(skb->csum)) || >> !csum_tcpudp_magic(iph->saddr, iph->daddr, >> skb->len - dataoff, protocol, >> skb->csum)) { >> @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int >> hook, >> } >> /* fall through */ >> case CHECKSUM_NONE: >> - if (protocol == 0) >> + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) >> skb->csum = 0; >> else >> skb->csum = csum_tcpudp_nofold(iph->saddr, >> iph->daddr, >> -- >> 2.7.4 >> > -- _______________________________________________ linux-yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/linux-yocto
