On Tue, Jun 25, 2019 at 11:03 PM He Zhe <[email protected]> wrote:
>
>
>
> On 6/26/19 11:00 AM, Bruce Ashfield wrote:
> > On Tue, Jun 25, 2019 at 6:15 AM <[email protected]> wrote:
> >> From: He Zhe <[email protected]>
> >>
> >> Since v5.1-rc1, some types of packets do not get unreachable reply with the
> >> following iptables setting. Fox example,
> > So what's the upstream status of this ? (I haven't checked netdev yet).
>
> It hasn't got reply yet. Maybe will be handled in next version.
> https://lore.kernel.org/lkml/[email protected]/
>
I've gone ahead and merged the change.
If there are any updates, send incremental patches.
I'll have another look when I'm doing the 5.2+ official kernel, but
you'll know sooner than I will if there are changes required.
Bruce
> Zhe
>
> >
> > Bruce
> >
> >> $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
> >> $ ping 127.0.0.1 -c 1
> >> PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> >> — 127.0.0.1 ping statistics —
> >> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
> >>
> >> We should have got the following reply from command line, but we did not.
> >> From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
> >>
> >> Yi Zhao reported it and narrowed it down to:
> >> 7fc38225363d ("netfilter: reject: skip csum verification for protocols
> >> that don't support it"),
> >>
> >> This is because nf_ip_checksum still expects pseudo-header protocol type 0
> >> for
> >> packets that are of neither TCP or UDP, and thus ICMP packets are
> >> mistakenly
> >> treated as TCP/UDP.
> >>
> >> This patch corrects the conditions in nf_ip_checksum and all other places
> >> that
> >> still call it with protocol 0.
> >>
> >> Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
> >> protocols that don't support it")
> >> Reported-by: Yi Zhao <[email protected]>
> >> Signed-off-by: He Zhe <[email protected]>
> >> ---
> >> This has been sent to upstream and would probably be handled next around.
> >> It's
> >> worth merging it before that.
> >>
> >> net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
> >> net/netfilter/nf_nat_proto.c | 2 +-
> >> net/netfilter/utils.c | 5 +++--
> >> 3 files changed, 5 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
> >> b/net/netfilter/nf_conntrack_proto_icmp.c
> >> index a824367..dd53e2b 100644
> >> --- a/net/netfilter/nf_conntrack_proto_icmp.c
> >> +++ b/net/netfilter/nf_conntrack_proto_icmp.c
> >> @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
> >> /* See ip_conntrack_proto_tcp.c */
> >> if (state->net->ct.sysctl_checksum &&
> >> state->hook == NF_INET_PRE_ROUTING &&
> >> - nf_ip_checksum(skb, state->hook, dataoff, 0)) {
> >> + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
> >> icmp_error_log(skb, state, "bad hw icmp checksum");
> >> return -NF_ACCEPT;
> >> }
> >> diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
> >> index 07da077..83a24cc 100644
> >> --- a/net/netfilter/nf_nat_proto.c
> >> +++ b/net/netfilter/nf_nat_proto.c
> >> @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
> >>
> >> if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
> >> return 0;
> >> - if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
> >> + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
> >> return 0;
> >>
> >> inside = (void *)skb->data + hdrlen;
> >> diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
> >> index 06dc555..51b454d 100644
> >> --- a/net/netfilter/utils.c
> >> +++ b/net/netfilter/utils.c
> >> @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
> >> hook,
> >> case CHECKSUM_COMPLETE:
> >> if (hook != NF_INET_PRE_ROUTING && hook !=
> >> NF_INET_LOCAL_IN)
> >> break;
> >> - if ((protocol == 0 && !csum_fold(skb->csum)) ||
> >> + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
> >> + !csum_fold(skb->csum)) ||
> >> !csum_tcpudp_magic(iph->saddr, iph->daddr,
> >> skb->len - dataoff, protocol,
> >> skb->csum)) {
> >> @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
> >> hook,
> >> }
> >> /* fall through */
> >> case CHECKSUM_NONE:
> >> - if (protocol == 0)
> >> + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
> >> skb->csum = 0;
> >> else
> >> skb->csum = csum_tcpudp_nofold(iph->saddr,
> >> iph->daddr,
> >> --
> >> 2.7.4
> >>
> >
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
--
_______________________________________________
linux-yocto mailing list
[email protected]
https://lists.yoctoproject.org/listinfo/linux-yocto
