Re: [linux-yocto] [yocto-kernel-cache][yocto-5.10][PATCH v2] nf: drop merged patch
merged. Bruce In message: [linux-yocto] [yocto-kernel-cache][yocto-5.10][PATCH v2] nf: drop merged patch on 20/08/2021 Naveen Saini wrote: > From: Bruce Ashfield > > Ref: > https://github.com/torvalds/linux/commit/5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8 > https://git.yoctoproject.org/cgit/cgit.cgi/yocto-kernel-cache/commit/?h=yocto-5.13=b085ea380cfe6101f56665de6b2362b66fcef9eb > > Signed-off-by: Bruce Ashfield > Signed-off-by: Naveen Saini > --- > features/net/net.scc | 1 - > ...emainder-of-pseudo-header-protocol-0.patch | 92 --- > 2 files changed, 93 deletions(-) > delete mode 100644 > features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > > diff --git a/features/net/net.scc b/features/net/net.scc > index a907e016..606aaa91 100644 > --- a/features/net/net.scc > +++ b/features/net/net.scc > @@ -1,4 +1,3 @@ > # SPDX-License-Identifier: MIT > > kconf hardware net.cfg > -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > diff --git > a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > deleted file mode 100644 > index d1fdbf98.. > --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > +++ /dev/null > @@ -1,92 +0,0 @@ > -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 > -From: He Zhe > -Date: Tue, 25 Jun 2019 18:15:50 +0800 > -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=UTF-8 > -Content-Transfer-Encoding: 8bit > - > -Since v5.1-rc1, some types of packets do not get unreachable reply with the > -following iptables setting. Fox example, > - > -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT > -$ ping 127.0.0.1 -c 1 > -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. > -— 127.0.0.1 ping statistics — > -1 packets transmitted, 0 received, 100% packet loss, time 0ms > - > -We should have got the following reply from command line, but we did not. > -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable > - > -Yi Zhao reported it and narrowed it down to: > -7fc38225363d ("netfilter: reject: skip csum verification for protocols that > don't support it"), > - > -This is because nf_ip_checksum still expects pseudo-header protocol type 0 > for > -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly > -treated as TCP/UDP. > - > -This patch corrects the conditions in nf_ip_checksum and all other places > that > -still call it with protocol 0. > - > -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for > protocols that don't support it") > -Reported-by: Yi Zhao > -Signed-off-by: He Zhe > -Signed-off-by: Bruce Ashfield > > - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- > - net/netfilter/nf_nat_proto.c| 2 +- > - net/netfilter/utils.c | 5 +++-- > - 3 files changed, 5 insertions(+), 4 deletions(-) > - > -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c > b/net/netfilter/nf_conntrack_proto_icmp.c > -index a824367ed518..dd53e2b20f6b 100644 > a/net/netfilter/nf_conntrack_proto_icmp.c > -+++ b/net/netfilter/nf_conntrack_proto_icmp.c > -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, > - /* See ip_conntrack_proto_tcp.c */ > - if (state->net->ct.sysctl_checksum && > - state->hook == NF_INET_PRE_ROUTING && > --nf_ip_checksum(skb, state->hook, dataoff, 0)) { > -+nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { > - icmp_error_log(skb, state, "bad hw icmp checksum"); > - return -NF_ACCEPT; > - } > -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c > -index 07da07788f6b..83a24cc5753b 100644 > a/net/netfilter/nf_nat_proto.c > -+++ b/net/netfilter/nf_nat_proto.c > -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, > - > - if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) > - return 0; > --if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) > -+if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) > - return 0; > - > - inside = (void *)skb->data + hdrlen; > -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c > -index 06dc55590441..51b454d8fa9c 100644 > a/net/netfilter/utils.c > -+++ b/net/netfilter/utils.c > -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int > hook, > - case CHECKSUM_COMPLETE: > -
[linux-yocto] [yocto-kernel-cache][yocto-5.10][PATCH v2] nf: drop merged patch
From: Bruce Ashfield Ref: https://github.com/torvalds/linux/commit/5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8 https://git.yoctoproject.org/cgit/cgit.cgi/yocto-kernel-cache/commit/?h=yocto-5.13=b085ea380cfe6101f56665de6b2362b66fcef9eb Signed-off-by: Bruce Ashfield Signed-off-by: Naveen Saini --- features/net/net.scc | 1 - ...emainder-of-pseudo-header-protocol-0.patch | 92 --- 2 files changed, 93 deletions(-) delete mode 100644 features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch diff --git a/features/net/net.scc b/features/net/net.scc index a907e016..606aaa91 100644 --- a/features/net/net.scc +++ b/features/net/net.scc @@ -1,4 +1,3 @@ # SPDX-License-Identifier: MIT kconf hardware net.cfg -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch diff --git a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch deleted file mode 100644 index d1fdbf98.. --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch +++ /dev/null @@ -1,92 +0,0 @@ -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 -From: He Zhe -Date: Tue, 25 Jun 2019 18:15:50 +0800 -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since v5.1-rc1, some types of packets do not get unreachable reply with the -following iptables setting. Fox example, - -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT -$ ping 127.0.0.1 -c 1 -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. -— 127.0.0.1 ping statistics — -1 packets transmitted, 0 received, 100% packet loss, time 0ms - -We should have got the following reply from command line, but we did not. -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable - -Yi Zhao reported it and narrowed it down to: -7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"), - -This is because nf_ip_checksum still expects pseudo-header protocol type 0 for -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly -treated as TCP/UDP. - -This patch corrects the conditions in nf_ip_checksum and all other places that -still call it with protocol 0. - -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it") -Reported-by: Yi Zhao -Signed-off-by: He Zhe -Signed-off-by: Bruce Ashfield - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- - net/netfilter/nf_nat_proto.c| 2 +- - net/netfilter/utils.c | 5 +++-- - 3 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c -index a824367ed518..dd53e2b20f6b 100644 a/net/netfilter/nf_conntrack_proto_icmp.c -+++ b/net/netfilter/nf_conntrack_proto_icmp.c -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, - /* See ip_conntrack_proto_tcp.c */ - if (state->net->ct.sysctl_checksum && - state->hook == NF_INET_PRE_ROUTING && -- nf_ip_checksum(skb, state->hook, dataoff, 0)) { -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { - icmp_error_log(skb, state, "bad hw icmp checksum"); - return -NF_ACCEPT; - } -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c -index 07da07788f6b..83a24cc5753b 100644 a/net/netfilter/nf_nat_proto.c -+++ b/net/netfilter/nf_nat_proto.c -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, - - if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) - return 0; -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) - return 0; - - inside = (void *)skb->data + hdrlen; -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c -index 06dc55590441..51b454d8fa9c 100644 a/net/netfilter/utils.c -+++ b/net/netfilter/utils.c -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, - case CHECKSUM_COMPLETE: - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) - break; -- if ((protocol == 0 && !csum_fold(skb->csum)) || -+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && -+ !csum_fold(skb->csum)) || - !csum_tcpudp_magic(iph->saddr, iph->daddr, - skb->len - dataoff, protocol, - skb->csum)) { -@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, - } - /* fall through */ - case CHECKSUM_NONE: -- if (protocol == 0) -+ if (protocol != IPPROTO_TCP && protocol !=