Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On Tue, Jul 2, 2019 at 12:17 PM He Zhe wrote:
>
>
>
> On 7/2/19 9:16 PM, He Zhe wrote:
> >
> > On 7/2/19 9:04 PM, Bruce Ashfield wrote:
> >> On Tue, Jul 2, 2019 at 4:54 AM wrote:
> >>> From: He Zhe
> >>>
> >>> The patch has already been applied on the tree. This would trigger
> >>> re-application when features/net/net.scc included.
> >> Nothing should be including net.scc directly from a KERNEL_FEATURES.
> >> It is a patch + config block.
> >> So we won't be reverting this. Whatever is triggering that extra
> >> patching is using the wrong feature
> >> fragment.
> >>
> >> How exactly are you triggering the issue ?
> > I'm triggering the issue from features/net/team/team.scc which includes
> > net.scc.
>
> Would team.scc be considered an acceptable usage?
Possibly.
But since there's no description in the .scc file, it is hard to say
:D But going by the git history, it is possible that it is useful as
an optional feature.
In situations such as this, we break the included .scc file into an
"-enable" and a "config" variant. team.scc should include the config
variant, leaving the standard/base, and BSPs to include the full .scc
which is both patches and the config.
Bruce
>
> Thanks,
> Zhe
>
> >
> > Zhe
> >
> >> Bruce
> >>
> >>> This reverts commit b5776165c9d346c30356b9d95debd69588d58323.
> >>> ---
> >>> features/net/net.scc | 1 -
> >>> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92
> >>> --
> >>> 2 files changed, 93 deletions(-)
> >>> delete mode 100644
> >>> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> >>>
> >>> diff --git a/features/net/net.scc b/features/net/net.scc
> >>> index 722b320..4a4e0fb 100644
> >>> --- a/features/net/net.scc
> >>> +++ b/features/net/net.scc
> >>> @@ -1,3 +1,2 @@
> >>>
> >>> kconf hardware net.cfg
> >>> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> >>> diff --git
> >>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> >>> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> >>> deleted file mode 100644
> >>> index d1fdbf9..000
> >>> ---
> >>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> >>> +++ /dev/null
> >>> @@ -1,92 +0,0 @@
> >>> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
> >>> -From: He Zhe
> >>> -Date: Tue, 25 Jun 2019 18:15:50 +0800
> >>> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
> >>> -MIME-Version: 1.0
> >>> -Content-Type: text/plain; charset=UTF-8
> >>> -Content-Transfer-Encoding: 8bit
> >>> -
> >>> -Since v5.1-rc1, some types of packets do not get unreachable reply with
> >>> the
> >>> -following iptables setting. Fox example,
> >>> -
> >>> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
> >>> -$ ping 127.0.0.1 -c 1
> >>> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> >>> -— 127.0.0.1 ping statistics —
> >>> -1 packets transmitted, 0 received, 100% packet loss, time 0ms
> >>> -
> >>> -We should have got the following reply from command line, but we did not.
> >>> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
> >>> -
> >>> -Yi Zhao reported it and narrowed it down to:
> >>> -7fc38225363d ("netfilter: reject: skip csum verification for protocols
> >>> that don't support it"),
> >>> -
> >>> -This is because nf_ip_checksum still expects pseudo-header protocol type
> >>> 0 for
> >>> -packets that are of neither TCP or UDP, and thus ICMP packets are
> >>> mistakenly
> >>> -treated as TCP/UDP.
> >>> -
> >>> -This patch corrects the conditions in nf_ip_checksum and all other
> >>> places that
> >>> -still call it with protocol 0.
> >>> -
> >>> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
> >>> protocols that don't support it")
> >>> -Reported-by: Yi Zhao
> >>> -Signed-off-by: He Zhe
> >>> -Signed-off-by: Bruce Ashfield
> >>>
> >>> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
> >>> - net/netfilter/nf_nat_proto.c| 2 +-
> >>> - net/netfilter/utils.c | 5 +++--
> >>> - 3 files changed, 5 insertions(+), 4 deletions(-)
> >>> -
> >>> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
> >>> b/net/netfilter/nf_conntrack_proto_icmp.c
> >>> -index a824367ed518..dd53e2b20f6b 100644
> >>> a/net/netfilter/nf_conntrack_proto_icmp.c
> >>> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c
> >>> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
> >>> - /* See ip_conntrack_proto_tcp.c */
> >>> - if (state->net->ct.sysctl_checksum &&
> >>> - state->hook == NF_INET_PRE_ROUTING &&
> >>> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
> >>> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
> >>> - icmp_error_log(skb, state, "bad hw icmp checksum");
> >>> - return -NF_ACCEPT;
> >>> - }
> >>> -diff --git a/net/netfilter/nf_nat_proto.c
Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On 7/2/19 9:16 PM, He Zhe wrote:
>
> On 7/2/19 9:04 PM, Bruce Ashfield wrote:
>> On Tue, Jul 2, 2019 at 4:54 AM wrote:
>>> From: He Zhe
>>>
>>> The patch has already been applied on the tree. This would trigger
>>> re-application when features/net/net.scc included.
>> Nothing should be including net.scc directly from a KERNEL_FEATURES.
>> It is a patch + config block.
>> So we won't be reverting this. Whatever is triggering that extra
>> patching is using the wrong feature
>> fragment.
>>
>> How exactly are you triggering the issue ?
> I'm triggering the issue from features/net/team/team.scc which includes
> net.scc.
Would team.scc be considered an acceptable usage?
Thanks,
Zhe
>
> Zhe
>
>> Bruce
>>
>>> This reverts commit b5776165c9d346c30356b9d95debd69588d58323.
>>> ---
>>> features/net/net.scc | 1 -
>>> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92
>>> --
>>> 2 files changed, 93 deletions(-)
>>> delete mode 100644
>>> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>>
>>> diff --git a/features/net/net.scc b/features/net/net.scc
>>> index 722b320..4a4e0fb 100644
>>> --- a/features/net/net.scc
>>> +++ b/features/net/net.scc
>>> @@ -1,3 +1,2 @@
>>>
>>> kconf hardware net.cfg
>>> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>> diff --git
>>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>> deleted file mode 100644
>>> index d1fdbf9..000
>>> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>> +++ /dev/null
>>> @@ -1,92 +0,0 @@
>>> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
>>> -From: He Zhe
>>> -Date: Tue, 25 Jun 2019 18:15:50 +0800
>>> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
>>> -MIME-Version: 1.0
>>> -Content-Type: text/plain; charset=UTF-8
>>> -Content-Transfer-Encoding: 8bit
>>> -
>>> -Since v5.1-rc1, some types of packets do not get unreachable reply with the
>>> -following iptables setting. Fox example,
>>> -
>>> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
>>> -$ ping 127.0.0.1 -c 1
>>> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
>>> -— 127.0.0.1 ping statistics —
>>> -1 packets transmitted, 0 received, 100% packet loss, time 0ms
>>> -
>>> -We should have got the following reply from command line, but we did not.
>>> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
>>> -
>>> -Yi Zhao reported it and narrowed it down to:
>>> -7fc38225363d ("netfilter: reject: skip csum verification for protocols
>>> that don't support it"),
>>> -
>>> -This is because nf_ip_checksum still expects pseudo-header protocol type 0
>>> for
>>> -packets that are of neither TCP or UDP, and thus ICMP packets are
>>> mistakenly
>>> -treated as TCP/UDP.
>>> -
>>> -This patch corrects the conditions in nf_ip_checksum and all other places
>>> that
>>> -still call it with protocol 0.
>>> -
>>> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
>>> protocols that don't support it")
>>> -Reported-by: Yi Zhao
>>> -Signed-off-by: He Zhe
>>> -Signed-off-by: Bruce Ashfield
>>>
>>> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
>>> - net/netfilter/nf_nat_proto.c| 2 +-
>>> - net/netfilter/utils.c | 5 +++--
>>> - 3 files changed, 5 insertions(+), 4 deletions(-)
>>> -
>>> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
>>> b/net/netfilter/nf_conntrack_proto_icmp.c
>>> -index a824367ed518..dd53e2b20f6b 100644
>>> a/net/netfilter/nf_conntrack_proto_icmp.c
>>> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c
>>> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
>>> - /* See ip_conntrack_proto_tcp.c */
>>> - if (state->net->ct.sysctl_checksum &&
>>> - state->hook == NF_INET_PRE_ROUTING &&
>>> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
>>> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
>>> - icmp_error_log(skb, state, "bad hw icmp checksum");
>>> - return -NF_ACCEPT;
>>> - }
>>> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
>>> -index 07da07788f6b..83a24cc5753b 100644
>>> a/net/netfilter/nf_nat_proto.c
>>> -+++ b/net/netfilter/nf_nat_proto.c
>>> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
>>> -
>>> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
>>> - return 0;
>>> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
>>> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
>>> - return 0;
>>> -
>>> - inside = (void *)skb->data + hdrlen;
>>> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
>>> -index 06dc55590441..51b454d8fa9c 100644
>>> a/net/netfilter/utils.c
>>> -+++
Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On 7/2/19 9:04 PM, Bruce Ashfield wrote:
> On Tue, Jul 2, 2019 at 4:54 AM wrote:
>> From: He Zhe
>>
>> The patch has already been applied on the tree. This would trigger
>> re-application when features/net/net.scc included.
> Nothing should be including net.scc directly from a KERNEL_FEATURES.
> It is a patch + config block.
> So we won't be reverting this. Whatever is triggering that extra
> patching is using the wrong feature
> fragment.
>
> How exactly are you triggering the issue ?
I'm triggering the issue from features/net/team/team.scc which includes net.scc.
Zhe
>
> Bruce
>
>> This reverts commit b5776165c9d346c30356b9d95debd69588d58323.
>> ---
>> features/net/net.scc | 1 -
>> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92
>> --
>> 2 files changed, 93 deletions(-)
>> delete mode 100644
>> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>
>> diff --git a/features/net/net.scc b/features/net/net.scc
>> index 722b320..4a4e0fb 100644
>> --- a/features/net/net.scc
>> +++ b/features/net/net.scc
>> @@ -1,3 +1,2 @@
>>
>> kconf hardware net.cfg
>> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> diff --git
>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> deleted file mode 100644
>> index d1fdbf9..000
>> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> +++ /dev/null
>> @@ -1,92 +0,0 @@
>> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
>> -From: He Zhe
>> -Date: Tue, 25 Jun 2019 18:15:50 +0800
>> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=UTF-8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -Since v5.1-rc1, some types of packets do not get unreachable reply with the
>> -following iptables setting. Fox example,
>> -
>> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
>> -$ ping 127.0.0.1 -c 1
>> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
>> -— 127.0.0.1 ping statistics —
>> -1 packets transmitted, 0 received, 100% packet loss, time 0ms
>> -
>> -We should have got the following reply from command line, but we did not.
>> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
>> -
>> -Yi Zhao reported it and narrowed it down to:
>> -7fc38225363d ("netfilter: reject: skip csum verification for protocols that
>> don't support it"),
>> -
>> -This is because nf_ip_checksum still expects pseudo-header protocol type 0
>> for
>> -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
>> -treated as TCP/UDP.
>> -
>> -This patch corrects the conditions in nf_ip_checksum and all other places
>> that
>> -still call it with protocol 0.
>> -
>> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
>> protocols that don't support it")
>> -Reported-by: Yi Zhao
>> -Signed-off-by: He Zhe
>> -Signed-off-by: Bruce Ashfield
>>
>> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
>> - net/netfilter/nf_nat_proto.c| 2 +-
>> - net/netfilter/utils.c | 5 +++--
>> - 3 files changed, 5 insertions(+), 4 deletions(-)
>> -
>> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
>> b/net/netfilter/nf_conntrack_proto_icmp.c
>> -index a824367ed518..dd53e2b20f6b 100644
>> a/net/netfilter/nf_conntrack_proto_icmp.c
>> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c
>> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
>> - /* See ip_conntrack_proto_tcp.c */
>> - if (state->net->ct.sysctl_checksum &&
>> - state->hook == NF_INET_PRE_ROUTING &&
>> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
>> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
>> - icmp_error_log(skb, state, "bad hw icmp checksum");
>> - return -NF_ACCEPT;
>> - }
>> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
>> -index 07da07788f6b..83a24cc5753b 100644
>> a/net/netfilter/nf_nat_proto.c
>> -+++ b/net/netfilter/nf_nat_proto.c
>> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
>> -
>> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
>> - return 0;
>> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
>> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
>> - return 0;
>> -
>> - inside = (void *)skb->data + hdrlen;
>> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
>> -index 06dc55590441..51b454d8fa9c 100644
>> a/net/netfilter/utils.c
>> -+++ b/net/netfilter/utils.c
>> -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
>> hook,
>> - case CHECKSUM_COMPLETE:
>> - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
>> -
Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On Tue, Jul 2, 2019 at 4:54 AM wrote:
>
> From: He Zhe
>
> The patch has already been applied on the tree. This would trigger
> re-application when features/net/net.scc included.
Nothing should be including net.scc directly from a KERNEL_FEATURES.
It is a patch + config block.
So we won't be reverting this. Whatever is triggering that extra
patching is using the wrong feature
fragment.
How exactly are you triggering the issue ?
Bruce
>
> This reverts commit b5776165c9d346c30356b9d95debd69588d58323.
> ---
> features/net/net.scc | 1 -
> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92
> --
> 2 files changed, 93 deletions(-)
> delete mode 100644
> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>
> diff --git a/features/net/net.scc b/features/net/net.scc
> index 722b320..4a4e0fb 100644
> --- a/features/net/net.scc
> +++ b/features/net/net.scc
> @@ -1,3 +1,2 @@
>
> kconf hardware net.cfg
> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> diff --git
> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> deleted file mode 100644
> index d1fdbf9..000
> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> +++ /dev/null
> @@ -1,92 +0,0 @@
> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
> -From: He Zhe
> -Date: Tue, 25 Jun 2019 18:15:50 +0800
> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Since v5.1-rc1, some types of packets do not get unreachable reply with the
> -following iptables setting. Fox example,
> -
> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
> -$ ping 127.0.0.1 -c 1
> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> -— 127.0.0.1 ping statistics —
> -1 packets transmitted, 0 received, 100% packet loss, time 0ms
> -
> -We should have got the following reply from command line, but we did not.
> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
> -
> -Yi Zhao reported it and narrowed it down to:
> -7fc38225363d ("netfilter: reject: skip csum verification for protocols that
> don't support it"),
> -
> -This is because nf_ip_checksum still expects pseudo-header protocol type 0
> for
> -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
> -treated as TCP/UDP.
> -
> -This patch corrects the conditions in nf_ip_checksum and all other places
> that
> -still call it with protocol 0.
> -
> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
> protocols that don't support it")
> -Reported-by: Yi Zhao
> -Signed-off-by: He Zhe
> -Signed-off-by: Bruce Ashfield
>
> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
> - net/netfilter/nf_nat_proto.c| 2 +-
> - net/netfilter/utils.c | 5 +++--
> - 3 files changed, 5 insertions(+), 4 deletions(-)
> -
> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
> b/net/netfilter/nf_conntrack_proto_icmp.c
> -index a824367ed518..dd53e2b20f6b 100644
> a/net/netfilter/nf_conntrack_proto_icmp.c
> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c
> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
> - /* See ip_conntrack_proto_tcp.c */
> - if (state->net->ct.sysctl_checksum &&
> - state->hook == NF_INET_PRE_ROUTING &&
> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
> - icmp_error_log(skb, state, "bad hw icmp checksum");
> - return -NF_ACCEPT;
> - }
> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
> -index 07da07788f6b..83a24cc5753b 100644
> a/net/netfilter/nf_nat_proto.c
> -+++ b/net/netfilter/nf_nat_proto.c
> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
> -
> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
> - return 0;
> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
> - return 0;
> -
> - inside = (void *)skb->data + hdrlen;
> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
> -index 06dc55590441..51b454d8fa9c 100644
> a/net/netfilter/utils.c
> -+++ b/net/netfilter/utils.c
> -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
> hook,
> - case CHECKSUM_COMPLETE:
> - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
> - break;
> -- if ((protocol == 0 && !csum_fold(skb->csum)) ||
> -+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
> -+ !csum_fold(skb->csum)) ||
> -
[linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
From: He Zhe
The patch has already been applied on the tree. This would trigger
re-application when features/net/net.scc included.
This reverts commit b5776165c9d346c30356b9d95debd69588d58323.
---
features/net/net.scc | 1 -
...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 --
2 files changed, 93 deletions(-)
delete mode 100644
features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
diff --git a/features/net/net.scc b/features/net/net.scc
index 722b320..4a4e0fb 100644
--- a/features/net/net.scc
+++ b/features/net/net.scc
@@ -1,3 +1,2 @@
kconf hardware net.cfg
-patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
diff --git
a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
deleted file mode 100644
index d1fdbf9..000
--- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
-From: He Zhe
-Date: Tue, 25 Jun 2019 18:15:50 +0800
-Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since v5.1-rc1, some types of packets do not get unreachable reply with the
-following iptables setting. Fox example,
-
-$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
-$ ping 127.0.0.1 -c 1
-PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
-— 127.0.0.1 ping statistics —
-1 packets transmitted, 0 received, 100% packet loss, time 0ms
-
-We should have got the following reply from command line, but we did not.
-From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
-
-Yi Zhao reported it and narrowed it down to:
-7fc38225363d ("netfilter: reject: skip csum verification for protocols that
don't support it"),
-
-This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
-packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
-treated as TCP/UDP.
-
-This patch corrects the conditions in nf_ip_checksum and all other places that
-still call it with protocol 0.
-
-Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols
that don't support it")
-Reported-by: Yi Zhao
-Signed-off-by: He Zhe
-Signed-off-by: Bruce Ashfield
- net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
- net/netfilter/nf_nat_proto.c| 2 +-
- net/netfilter/utils.c | 5 +++--
- 3 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
b/net/netfilter/nf_conntrack_proto_icmp.c
-index a824367ed518..dd53e2b20f6b 100644
a/net/netfilter/nf_conntrack_proto_icmp.c
-+++ b/net/netfilter/nf_conntrack_proto_icmp.c
-@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
- /* See ip_conntrack_proto_tcp.c */
- if (state->net->ct.sysctl_checksum &&
- state->hook == NF_INET_PRE_ROUTING &&
-- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
-+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
- icmp_error_log(skb, state, "bad hw icmp checksum");
- return -NF_ACCEPT;
- }
-diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
-index 07da07788f6b..83a24cc5753b 100644
a/net/netfilter/nf_nat_proto.c
-+++ b/net/netfilter/nf_nat_proto.c
-@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
-
- if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
- return 0;
-- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
-+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
- return 0;
-
- inside = (void *)skb->data + hdrlen;
-diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
-index 06dc55590441..51b454d8fa9c 100644
a/net/netfilter/utils.c
-+++ b/net/netfilter/utils.c
-@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
hook,
- case CHECKSUM_COMPLETE:
- if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
- break;
-- if ((protocol == 0 && !csum_fold(skb->csum)) ||
-+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
-+ !csum_fold(skb->csum)) ||
- !csum_tcpudp_magic(iph->saddr, iph->daddr,
- skb->len - dataoff, protocol,
- skb->csum)) {
-@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
hook,
- }
- /* fall through */
- case CHECKSUM_NONE:
-- if (protocol == 0)
-+ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
- skb->csum = 0;
- else
- skb->csum =
