[linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
From: He Zhe
Since v5.1-rc1, some types of packets do not get unreachable reply with the
following iptables setting. Fox example,
$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
$ ping 127.0.0.1 -c 1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
— 127.0.0.1 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms
We should have got the following reply from command line, but we did not.
From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
Yi Zhao reported it and narrowed it down to:
7fc38225363d ("netfilter: reject: skip csum verification for protocols that
don't support it"),
This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
treated as TCP/UDP.
This patch corrects the conditions in nf_ip_checksum and all other places that
still call it with protocol 0.
Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols
that don't support it")
Reported-by: Yi Zhao
Signed-off-by: He Zhe
---
This has been sent to upstream and would probably be handled next around. It's
worth merging it before that.
net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
net/netfilter/nf_nat_proto.c| 2 +-
net/netfilter/utils.c | 5 +++--
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
b/net/netfilter/nf_conntrack_proto_icmp.c
index a824367..dd53e2b 100644
--- a/net/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/netfilter/nf_conntrack_proto_icmp.c
@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
/* See ip_conntrack_proto_tcp.c */
if (state->net->ct.sysctl_checksum &&
state->hook == NF_INET_PRE_ROUTING &&
- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
icmp_error_log(skb, state, "bad hw icmp checksum");
return -NF_ACCEPT;
}
diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
index 07da077..83a24cc 100644
--- a/net/netfilter/nf_nat_proto.c
+++ b/net/netfilter/nf_nat_proto.c
@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
return 0;
- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
return 0;
inside = (void *)skb->data + hdrlen;
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 06dc555..51b454d 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
case CHECKSUM_COMPLETE:
if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
break;
- if ((protocol == 0 && !csum_fold(skb->csum)) ||
+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
+ !csum_fold(skb->csum)) ||
!csum_tcpudp_magic(iph->saddr, iph->daddr,
skb->len - dataoff, protocol,
skb->csum)) {
@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
}
/* fall through */
case CHECKSUM_NONE:
- if (protocol == 0)
+ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
skb->csum = 0;
else
skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
--
2.7.4
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] failed to boot qemu with security.scc
Hi Bruce, Have you ever met the following error with features/security/security.scc, when running qemux86? ... [ **] A start job is running for Load Kernel Modules (7min 26s / 7min 31s) * systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: failed (Result: timeout) since Tue 2019-06-25 13:55:28 UTC; 6min ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Main PID: 110 Tasks: 1 (limit: 570) Memory: 968.0K CGroup: /system.slice/systemd-modules-load.service `-110 /lib/systemd/systemd-modules-load Jun 25 13:47:58 qemux86 systemd-modules-load[110]: Inserted module 'openvswitch' Jun 25 13:49:27 qemux86 systemd[1]: systemd-modules-load.service: Start operation timed out. Terminating. Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: State 'stop-sigterm' timed out. Killing. Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: Killing process 110 (systemd-modules) with signal SIGKILL. Jun 25 13:52:28 qemux86 systemd[1]: systemd-modules-load.service: Processes still around after SIGKILL. Ignoring. Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: State 'stop-final-sigterm' timed out. Killing. Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: Killing process 110 (systemd-modules) with signal SIGKILL. Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Processes still around after final SIGKILL. Entering failed mode. Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Failed with result 'timeout'. Jun 25 13:55:28 qemux86 systemd[1]: Failed to start Load Kernel Modules. Zhe -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] failed to boot qemu with security.scc
On 6/26/19 10:49 AM, Bruce Ashfield wrote: > On Tue, Jun 25, 2019 at 10:25 AM He Zhe wrote: >> Hi Bruce, >> >> Have you ever met the following error with features/security/security.scc, >> when running qemux86? > Hmm. No, I haven't seen that. > > My old builds were using sysvinit, so I didn't have a recent build > ready to go. But I just started a new one, and will do a boot test on > (my) Tuesday. Coming together with endless: "uvesafb: 5000 ms task timeout, infinitely waiting." I found it was stuck on loading uvesafb and should be related Yocto #8245 I'm reading the history. Thanks, Zhe > > Bruce > >> ... >> [**] A start job is running for Load Kernel Modules (7min 26s / 7min 31s) >> >> >> * systemd-modules-load.service - Load Kernel Modules >>Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static; >> vendor preset: disabled) >>Active: failed (Result: timeout) since Tue 2019-06-25 13:55:28 UTC; 6min >> ago >> Docs: man:systemd-modules-load.service(8) >>man:modules-load.d(5) >> Main PID: 110 >> Tasks: 1 (limit: 570) >>Memory: 968.0K >>CGroup: /system.slice/systemd-modules-load.service >>`-110 /lib/systemd/systemd-modules-load >> >> Jun 25 13:47:58 qemux86 systemd-modules-load[110]: Inserted module >> 'openvswitch' >> Jun 25 13:49:27 qemux86 systemd[1]: systemd-modules-load.service: Start >> operation timed out. Terminating. >> Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: State >> 'stop-sigterm' timed out. Killing. >> Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: Killing >> process 110 (systemd-modules) with signal SIGKILL. >> Jun 25 13:52:28 qemux86 systemd[1]: systemd-modules-load.service: Processes >> still around after SIGKILL. Ignoring. >> Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: State >> 'stop-final-sigterm' timed out. Killing. >> Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: Killing >> process 110 (systemd-modules) with signal SIGKILL. >> Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Processes >> still around after final SIGKILL. Entering failed mode. >> Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Failed >> with result 'timeout'. >> Jun 25 13:55:28 qemux86 systemd[1]: Failed to start Load Kernel Modules. >> >> >> Zhe > > -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
On Tue, Jun 25, 2019 at 11:00 PM Bruce Ashfield
wrote:
>
> On Tue, Jun 25, 2019 at 6:15 AM wrote:
> >
> > From: He Zhe
> >
> > Since v5.1-rc1, some types of packets do not get unreachable reply with the
> > following iptables setting. Fox example,
>
> So what's the upstream status of this ? (I haven't checked netdev yet).
>
I should have just checked and saved an email. I found your submission
of the change, but don't see any feedback. I'll follow along on netdev
and see where it goes.
Bruce
> Bruce
>
> >
> > $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
> > $ ping 127.0.0.1 -c 1
> > PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> > — 127.0.0.1 ping statistics —
> > 1 packets transmitted, 0 received, 100% packet loss, time 0ms
> >
> > We should have got the following reply from command line, but we did not.
> > From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
> >
> > Yi Zhao reported it and narrowed it down to:
> > 7fc38225363d ("netfilter: reject: skip csum verification for protocols that
> > don't support it"),
> >
> > This is because nf_ip_checksum still expects pseudo-header protocol type 0
> > for
> > packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
> > treated as TCP/UDP.
> >
> > This patch corrects the conditions in nf_ip_checksum and all other places
> > that
> > still call it with protocol 0.
> >
> > Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
> > protocols that don't support it")
> > Reported-by: Yi Zhao
> > Signed-off-by: He Zhe
> > ---
> > This has been sent to upstream and would probably be handled next around.
> > It's
> > worth merging it before that.
> >
> > net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
> > net/netfilter/nf_nat_proto.c| 2 +-
> > net/netfilter/utils.c | 5 +++--
> > 3 files changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
> > b/net/netfilter/nf_conntrack_proto_icmp.c
> > index a824367..dd53e2b 100644
> > --- a/net/netfilter/nf_conntrack_proto_icmp.c
> > +++ b/net/netfilter/nf_conntrack_proto_icmp.c
> > @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
> > /* See ip_conntrack_proto_tcp.c */
> > if (state->net->ct.sysctl_checksum &&
> > state->hook == NF_INET_PRE_ROUTING &&
> > - nf_ip_checksum(skb, state->hook, dataoff, 0)) {
> > + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
> > icmp_error_log(skb, state, "bad hw icmp checksum");
> > return -NF_ACCEPT;
> > }
> > diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
> > index 07da077..83a24cc 100644
> > --- a/net/netfilter/nf_nat_proto.c
> > +++ b/net/netfilter/nf_nat_proto.c
> > @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
> >
> > if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
> > return 0;
> > - if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
> > + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
> > return 0;
> >
> > inside = (void *)skb->data + hdrlen;
> > diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
> > index 06dc555..51b454d 100644
> > --- a/net/netfilter/utils.c
> > +++ b/net/netfilter/utils.c
> > @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
> > hook,
> > case CHECKSUM_COMPLETE:
> > if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
> > break;
> > - if ((protocol == 0 && !csum_fold(skb->csum)) ||
> > + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
> > + !csum_fold(skb->csum)) ||
> > !csum_tcpudp_magic(iph->saddr, iph->daddr,
> >skb->len - dataoff, protocol,
> >skb->csum)) {
> > @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
> > hook,
> > }
> > /* fall through */
> > case CHECKSUM_NONE:
> > - if (protocol == 0)
> > + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
> > skb->csum = 0;
> > else
> > skb->csum = csum_tcpudp_nofold(iph->saddr,
> > iph->daddr,
> > --
> > 2.7.4
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
On Tue, Jun 25, 2019 at 6:15 AM wrote:
>
> From: He Zhe
>
> Since v5.1-rc1, some types of packets do not get unreachable reply with the
> following iptables setting. Fox example,
So what's the upstream status of this ? (I haven't checked netdev yet).
Bruce
>
> $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
> $ ping 127.0.0.1 -c 1
> PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> — 127.0.0.1 ping statistics —
> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>
> We should have got the following reply from command line, but we did not.
> From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
>
> Yi Zhao reported it and narrowed it down to:
> 7fc38225363d ("netfilter: reject: skip csum verification for protocols that
> don't support it"),
>
> This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
> packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
> treated as TCP/UDP.
>
> This patch corrects the conditions in nf_ip_checksum and all other places that
> still call it with protocol 0.
>
> Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols
> that don't support it")
> Reported-by: Yi Zhao
> Signed-off-by: He Zhe
> ---
> This has been sent to upstream and would probably be handled next around. It's
> worth merging it before that.
>
> net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
> net/netfilter/nf_nat_proto.c| 2 +-
> net/netfilter/utils.c | 5 +++--
> 3 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
> b/net/netfilter/nf_conntrack_proto_icmp.c
> index a824367..dd53e2b 100644
> --- a/net/netfilter/nf_conntrack_proto_icmp.c
> +++ b/net/netfilter/nf_conntrack_proto_icmp.c
> @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
> /* See ip_conntrack_proto_tcp.c */
> if (state->net->ct.sysctl_checksum &&
> state->hook == NF_INET_PRE_ROUTING &&
> - nf_ip_checksum(skb, state->hook, dataoff, 0)) {
> + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
> icmp_error_log(skb, state, "bad hw icmp checksum");
> return -NF_ACCEPT;
> }
> diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
> index 07da077..83a24cc 100644
> --- a/net/netfilter/nf_nat_proto.c
> +++ b/net/netfilter/nf_nat_proto.c
> @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
>
> if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
> return 0;
> - if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
> + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
> return 0;
>
> inside = (void *)skb->data + hdrlen;
> diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
> index 06dc555..51b454d 100644
> --- a/net/netfilter/utils.c
> +++ b/net/netfilter/utils.c
> @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
> hook,
> case CHECKSUM_COMPLETE:
> if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
> break;
> - if ((protocol == 0 && !csum_fold(skb->csum)) ||
> + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
> + !csum_fold(skb->csum)) ||
> !csum_tcpudp_magic(iph->saddr, iph->daddr,
>skb->len - dataoff, protocol,
>skb->csum)) {
> @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
> hook,
> }
> /* fall through */
> case CHECKSUM_NONE:
> - if (protocol == 0)
> + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
> skb->csum = 0;
> else
> skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
> --
> 2.7.4
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] failed to boot qemu with security.scc
On Tue, Jun 25, 2019 at 10:25 AM He Zhe wrote: > > Hi Bruce, > > Have you ever met the following error with features/security/security.scc, > when running qemux86? Hmm. No, I haven't seen that. My old builds were using sysvinit, so I didn't have a recent build ready to go. But I just started a new one, and will do a boot test on (my) Tuesday. Bruce > > ... > [**] A start job is running for Load Kernel Modules (7min 26s / 7min 31s) > > > * systemd-modules-load.service - Load Kernel Modules >Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static; > vendor preset: disabled) >Active: failed (Result: timeout) since Tue 2019-06-25 13:55:28 UTC; 6min > ago > Docs: man:systemd-modules-load.service(8) >man:modules-load.d(5) > Main PID: 110 > Tasks: 1 (limit: 570) >Memory: 968.0K >CGroup: /system.slice/systemd-modules-load.service >`-110 /lib/systemd/systemd-modules-load > > Jun 25 13:47:58 qemux86 systemd-modules-load[110]: Inserted module > 'openvswitch' > Jun 25 13:49:27 qemux86 systemd[1]: systemd-modules-load.service: Start > operation timed out. Terminating. > Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: State > 'stop-sigterm' timed out. Killing. > Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: Killing > process 110 (systemd-modules) with signal SIGKILL. > Jun 25 13:52:28 qemux86 systemd[1]: systemd-modules-load.service: Processes > still around after SIGKILL. Ignoring. > Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: State > 'stop-final-sigterm' timed out. Killing. > Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: Killing > process 110 (systemd-modules) with signal SIGKILL. > Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Processes > still around after final SIGKILL. Entering failed mode. > Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Failed with > result 'timeout'. > Jun 25 13:55:28 qemux86 systemd[1]: Failed to start Load Kernel Modules. > > > Zhe -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
On 6/26/19 11:00 AM, Bruce Ashfield wrote:
> On Tue, Jun 25, 2019 at 6:15 AM wrote:
>> From: He Zhe
>>
>> Since v5.1-rc1, some types of packets do not get unreachable reply with the
>> following iptables setting. Fox example,
> So what's the upstream status of this ? (I haven't checked netdev yet).
It hasn't got reply yet. Maybe will be handled in next version.
https://lore.kernel.org/lkml/1561346258-272481-1-git-send-email-zhe...@windriver.com/
Zhe
>
> Bruce
>
>> $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
>> $ ping 127.0.0.1 -c 1
>> PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
>> — 127.0.0.1 ping statistics —
>> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>>
>> We should have got the following reply from command line, but we did not.
>> From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
>>
>> Yi Zhao reported it and narrowed it down to:
>> 7fc38225363d ("netfilter: reject: skip csum verification for protocols that
>> don't support it"),
>>
>> This is because nf_ip_checksum still expects pseudo-header protocol type 0
>> for
>> packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
>> treated as TCP/UDP.
>>
>> This patch corrects the conditions in nf_ip_checksum and all other places
>> that
>> still call it with protocol 0.
>>
>> Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
>> protocols that don't support it")
>> Reported-by: Yi Zhao
>> Signed-off-by: He Zhe
>> ---
>> This has been sent to upstream and would probably be handled next around.
>> It's
>> worth merging it before that.
>>
>> net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
>> net/netfilter/nf_nat_proto.c| 2 +-
>> net/netfilter/utils.c | 5 +++--
>> 3 files changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
>> b/net/netfilter/nf_conntrack_proto_icmp.c
>> index a824367..dd53e2b 100644
>> --- a/net/netfilter/nf_conntrack_proto_icmp.c
>> +++ b/net/netfilter/nf_conntrack_proto_icmp.c
>> @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
>> /* See ip_conntrack_proto_tcp.c */
>> if (state->net->ct.sysctl_checksum &&
>> state->hook == NF_INET_PRE_ROUTING &&
>> - nf_ip_checksum(skb, state->hook, dataoff, 0)) {
>> + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
>> icmp_error_log(skb, state, "bad hw icmp checksum");
>> return -NF_ACCEPT;
>> }
>> diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
>> index 07da077..83a24cc 100644
>> --- a/net/netfilter/nf_nat_proto.c
>> +++ b/net/netfilter/nf_nat_proto.c
>> @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
>>
>> if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
>> return 0;
>> - if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
>> + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
>> return 0;
>>
>> inside = (void *)skb->data + hdrlen;
>> diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
>> index 06dc555..51b454d 100644
>> --- a/net/netfilter/utils.c
>> +++ b/net/netfilter/utils.c
>> @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
>> hook,
>> case CHECKSUM_COMPLETE:
>> if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
>> break;
>> - if ((protocol == 0 && !csum_fold(skb->csum)) ||
>> + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
>> + !csum_fold(skb->csum)) ||
>> !csum_tcpudp_magic(iph->saddr, iph->daddr,
>>skb->len - dataoff, protocol,
>>skb->csum)) {
>> @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
>> hook,
>> }
>> /* fall through */
>> case CHECKSUM_NONE:
>> - if (protocol == 0)
>> + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
>> skb->csum = 0;
>> else
>> skb->csum = csum_tcpudp_nofold(iph->saddr,
>> iph->daddr,
>> --
>> 2.7.4
>>
>
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
