[linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
From: He Zhe Since v5.1-rc1, some types of packets do not get unreachable reply with the following iptables setting. Fox example, $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT $ ping 127.0.0.1 -c 1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. — 127.0.0.1 ping statistics — 1 packets transmitted, 0 received, 100% packet loss, time 0ms We should have got the following reply from command line, but we did not. From 127.0.0.1 icmp_seq=1 Destination Port Unreachable Yi Zhao reported it and narrowed it down to: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"), This is because nf_ip_checksum still expects pseudo-header protocol type 0 for packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly treated as TCP/UDP. This patch corrects the conditions in nf_ip_checksum and all other places that still call it with protocol 0. Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it") Reported-by: Yi Zhao Signed-off-by: He Zhe --- This has been sent to upstream and would probably be handled next around. It's worth merging it before that. net/netfilter/nf_conntrack_proto_icmp.c | 2 +- net/netfilter/nf_nat_proto.c| 2 +- net/netfilter/utils.c | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c index a824367..dd53e2b 100644 --- a/net/netfilter/nf_conntrack_proto_icmp.c +++ b/net/netfilter/nf_conntrack_proto_icmp.c @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, /* See ip_conntrack_proto_tcp.c */ if (state->net->ct.sysctl_checksum && state->hook == NF_INET_PRE_ROUTING && - nf_ip_checksum(skb, state->hook, dataoff, 0)) { + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { icmp_error_log(skb, state, "bad hw icmp checksum"); return -NF_ACCEPT; } diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c index 07da077..83a24cc 100644 --- a/net/netfilter/nf_nat_proto.c +++ b/net/netfilter/nf_nat_proto.c @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) return 0; - if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) return 0; inside = (void *)skb->data + hdrlen; diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c index 06dc555..51b454d 100644 --- a/net/netfilter/utils.c +++ b/net/netfilter/utils.c @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, case CHECKSUM_COMPLETE: if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) break; - if ((protocol == 0 && !csum_fold(skb->csum)) || + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && + !csum_fold(skb->csum)) || !csum_tcpudp_magic(iph->saddr, iph->daddr, skb->len - dataoff, protocol, skb->csum)) { @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, } /* fall through */ case CHECKSUM_NONE: - if (protocol == 0) + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) skb->csum = 0; else skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr, -- 2.7.4 -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] failed to boot qemu with security.scc
Hi Bruce, Have you ever met the following error with features/security/security.scc, when running qemux86? ... [ **] A start job is running for Load Kernel Modules (7min 26s / 7min 31s) * systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: failed (Result: timeout) since Tue 2019-06-25 13:55:28 UTC; 6min ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Main PID: 110 Tasks: 1 (limit: 570) Memory: 968.0K CGroup: /system.slice/systemd-modules-load.service `-110 /lib/systemd/systemd-modules-load Jun 25 13:47:58 qemux86 systemd-modules-load[110]: Inserted module 'openvswitch' Jun 25 13:49:27 qemux86 systemd[1]: systemd-modules-load.service: Start operation timed out. Terminating. Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: State 'stop-sigterm' timed out. Killing. Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: Killing process 110 (systemd-modules) with signal SIGKILL. Jun 25 13:52:28 qemux86 systemd[1]: systemd-modules-load.service: Processes still around after SIGKILL. Ignoring. Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: State 'stop-final-sigterm' timed out. Killing. Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: Killing process 110 (systemd-modules) with signal SIGKILL. Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Processes still around after final SIGKILL. Entering failed mode. Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Failed with result 'timeout'. Jun 25 13:55:28 qemux86 systemd[1]: Failed to start Load Kernel Modules. Zhe -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] failed to boot qemu with security.scc
On 6/26/19 10:49 AM, Bruce Ashfield wrote: > On Tue, Jun 25, 2019 at 10:25 AM He Zhe wrote: >> Hi Bruce, >> >> Have you ever met the following error with features/security/security.scc, >> when running qemux86? > Hmm. No, I haven't seen that. > > My old builds were using sysvinit, so I didn't have a recent build > ready to go. But I just started a new one, and will do a boot test on > (my) Tuesday. Coming together with endless: "uvesafb: 5000 ms task timeout, infinitely waiting." I found it was stuck on loading uvesafb and should be related Yocto #8245 I'm reading the history. Thanks, Zhe > > Bruce > >> ... >> [**] A start job is running for Load Kernel Modules (7min 26s / 7min 31s) >> >> >> * systemd-modules-load.service - Load Kernel Modules >>Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static; >> vendor preset: disabled) >>Active: failed (Result: timeout) since Tue 2019-06-25 13:55:28 UTC; 6min >> ago >> Docs: man:systemd-modules-load.service(8) >>man:modules-load.d(5) >> Main PID: 110 >> Tasks: 1 (limit: 570) >>Memory: 968.0K >>CGroup: /system.slice/systemd-modules-load.service >>`-110 /lib/systemd/systemd-modules-load >> >> Jun 25 13:47:58 qemux86 systemd-modules-load[110]: Inserted module >> 'openvswitch' >> Jun 25 13:49:27 qemux86 systemd[1]: systemd-modules-load.service: Start >> operation timed out. Terminating. >> Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: State >> 'stop-sigterm' timed out. Killing. >> Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: Killing >> process 110 (systemd-modules) with signal SIGKILL. >> Jun 25 13:52:28 qemux86 systemd[1]: systemd-modules-load.service: Processes >> still around after SIGKILL. Ignoring. >> Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: State >> 'stop-final-sigterm' timed out. Killing. >> Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: Killing >> process 110 (systemd-modules) with signal SIGKILL. >> Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Processes >> still around after final SIGKILL. Entering failed mode. >> Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Failed >> with result 'timeout'. >> Jun 25 13:55:28 qemux86 systemd[1]: Failed to start Load Kernel Modules. >> >> >> Zhe > > -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
On Tue, Jun 25, 2019 at 11:00 PM Bruce Ashfield wrote: > > On Tue, Jun 25, 2019 at 6:15 AM wrote: > > > > From: He Zhe > > > > Since v5.1-rc1, some types of packets do not get unreachable reply with the > > following iptables setting. Fox example, > > So what's the upstream status of this ? (I haven't checked netdev yet). > I should have just checked and saved an email. I found your submission of the change, but don't see any feedback. I'll follow along on netdev and see where it goes. Bruce > Bruce > > > > > $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT > > $ ping 127.0.0.1 -c 1 > > PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. > > — 127.0.0.1 ping statistics — > > 1 packets transmitted, 0 received, 100% packet loss, time 0ms > > > > We should have got the following reply from command line, but we did not. > > From 127.0.0.1 icmp_seq=1 Destination Port Unreachable > > > > Yi Zhao reported it and narrowed it down to: > > 7fc38225363d ("netfilter: reject: skip csum verification for protocols that > > don't support it"), > > > > This is because nf_ip_checksum still expects pseudo-header protocol type 0 > > for > > packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly > > treated as TCP/UDP. > > > > This patch corrects the conditions in nf_ip_checksum and all other places > > that > > still call it with protocol 0. > > > > Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for > > protocols that don't support it") > > Reported-by: Yi Zhao > > Signed-off-by: He Zhe > > --- > > This has been sent to upstream and would probably be handled next around. > > It's > > worth merging it before that. > > > > net/netfilter/nf_conntrack_proto_icmp.c | 2 +- > > net/netfilter/nf_nat_proto.c| 2 +- > > net/netfilter/utils.c | 5 +++-- > > 3 files changed, 5 insertions(+), 4 deletions(-) > > > > diff --git a/net/netfilter/nf_conntrack_proto_icmp.c > > b/net/netfilter/nf_conntrack_proto_icmp.c > > index a824367..dd53e2b 100644 > > --- a/net/netfilter/nf_conntrack_proto_icmp.c > > +++ b/net/netfilter/nf_conntrack_proto_icmp.c > > @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, > > /* See ip_conntrack_proto_tcp.c */ > > if (state->net->ct.sysctl_checksum && > > state->hook == NF_INET_PRE_ROUTING && > > - nf_ip_checksum(skb, state->hook, dataoff, 0)) { > > + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { > > icmp_error_log(skb, state, "bad hw icmp checksum"); > > return -NF_ACCEPT; > > } > > diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c > > index 07da077..83a24cc 100644 > > --- a/net/netfilter/nf_nat_proto.c > > +++ b/net/netfilter/nf_nat_proto.c > > @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, > > > > if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) > > return 0; > > - if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) > > + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) > > return 0; > > > > inside = (void *)skb->data + hdrlen; > > diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c > > index 06dc555..51b454d 100644 > > --- a/net/netfilter/utils.c > > +++ b/net/netfilter/utils.c > > @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int > > hook, > > case CHECKSUM_COMPLETE: > > if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) > > break; > > - if ((protocol == 0 && !csum_fold(skb->csum)) || > > + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && > > + !csum_fold(skb->csum)) || > > !csum_tcpudp_magic(iph->saddr, iph->daddr, > >skb->len - dataoff, protocol, > >skb->csum)) { > > @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int > > hook, > > } > > /* fall through */ > > case CHECKSUM_NONE: > > - if (protocol == 0) > > + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) > > skb->csum = 0; > > else > > skb->csum = csum_tcpudp_nofold(iph->saddr, > > iph->daddr, > > -- > > 2.7.4 > > > > > -- > - Thou shalt not follow the NULL pointer, for chaos and madness await > thee at its end > - "Use the force Harry" - Gandalf, Star Trek II -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
On Tue, Jun 25, 2019 at 6:15 AM wrote: > > From: He Zhe > > Since v5.1-rc1, some types of packets do not get unreachable reply with the > following iptables setting. Fox example, So what's the upstream status of this ? (I haven't checked netdev yet). Bruce > > $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT > $ ping 127.0.0.1 -c 1 > PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. > — 127.0.0.1 ping statistics — > 1 packets transmitted, 0 received, 100% packet loss, time 0ms > > We should have got the following reply from command line, but we did not. > From 127.0.0.1 icmp_seq=1 Destination Port Unreachable > > Yi Zhao reported it and narrowed it down to: > 7fc38225363d ("netfilter: reject: skip csum verification for protocols that > don't support it"), > > This is because nf_ip_checksum still expects pseudo-header protocol type 0 for > packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly > treated as TCP/UDP. > > This patch corrects the conditions in nf_ip_checksum and all other places that > still call it with protocol 0. > > Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols > that don't support it") > Reported-by: Yi Zhao > Signed-off-by: He Zhe > --- > This has been sent to upstream and would probably be handled next around. It's > worth merging it before that. > > net/netfilter/nf_conntrack_proto_icmp.c | 2 +- > net/netfilter/nf_nat_proto.c| 2 +- > net/netfilter/utils.c | 5 +++-- > 3 files changed, 5 insertions(+), 4 deletions(-) > > diff --git a/net/netfilter/nf_conntrack_proto_icmp.c > b/net/netfilter/nf_conntrack_proto_icmp.c > index a824367..dd53e2b 100644 > --- a/net/netfilter/nf_conntrack_proto_icmp.c > +++ b/net/netfilter/nf_conntrack_proto_icmp.c > @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, > /* See ip_conntrack_proto_tcp.c */ > if (state->net->ct.sysctl_checksum && > state->hook == NF_INET_PRE_ROUTING && > - nf_ip_checksum(skb, state->hook, dataoff, 0)) { > + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { > icmp_error_log(skb, state, "bad hw icmp checksum"); > return -NF_ACCEPT; > } > diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c > index 07da077..83a24cc 100644 > --- a/net/netfilter/nf_nat_proto.c > +++ b/net/netfilter/nf_nat_proto.c > @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, > > if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) > return 0; > - if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) > + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) > return 0; > > inside = (void *)skb->data + hdrlen; > diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c > index 06dc555..51b454d 100644 > --- a/net/netfilter/utils.c > +++ b/net/netfilter/utils.c > @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int > hook, > case CHECKSUM_COMPLETE: > if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) > break; > - if ((protocol == 0 && !csum_fold(skb->csum)) || > + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && > + !csum_fold(skb->csum)) || > !csum_tcpudp_magic(iph->saddr, iph->daddr, >skb->len - dataoff, protocol, >skb->csum)) { > @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int > hook, > } > /* fall through */ > case CHECKSUM_NONE: > - if (protocol == 0) > + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) > skb->csum = 0; > else > skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr, > -- > 2.7.4 > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] failed to boot qemu with security.scc
On Tue, Jun 25, 2019 at 10:25 AM He Zhe wrote: > > Hi Bruce, > > Have you ever met the following error with features/security/security.scc, > when running qemux86? Hmm. No, I haven't seen that. My old builds were using sysvinit, so I didn't have a recent build ready to go. But I just started a new one, and will do a boot test on (my) Tuesday. Bruce > > ... > [**] A start job is running for Load Kernel Modules (7min 26s / 7min 31s) > > > * systemd-modules-load.service - Load Kernel Modules >Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static; > vendor preset: disabled) >Active: failed (Result: timeout) since Tue 2019-06-25 13:55:28 UTC; 6min > ago > Docs: man:systemd-modules-load.service(8) >man:modules-load.d(5) > Main PID: 110 > Tasks: 1 (limit: 570) >Memory: 968.0K >CGroup: /system.slice/systemd-modules-load.service >`-110 /lib/systemd/systemd-modules-load > > Jun 25 13:47:58 qemux86 systemd-modules-load[110]: Inserted module > 'openvswitch' > Jun 25 13:49:27 qemux86 systemd[1]: systemd-modules-load.service: Start > operation timed out. Terminating. > Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: State > 'stop-sigterm' timed out. Killing. > Jun 25 13:50:58 qemux86 systemd[1]: systemd-modules-load.service: Killing > process 110 (systemd-modules) with signal SIGKILL. > Jun 25 13:52:28 qemux86 systemd[1]: systemd-modules-load.service: Processes > still around after SIGKILL. Ignoring. > Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: State > 'stop-final-sigterm' timed out. Killing. > Jun 25 13:53:58 qemux86 systemd[1]: systemd-modules-load.service: Killing > process 110 (systemd-modules) with signal SIGKILL. > Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Processes > still around after final SIGKILL. Entering failed mode. > Jun 25 13:55:28 qemux86 systemd[1]: systemd-modules-load.service: Failed with > result 'timeout'. > Jun 25 13:55:28 qemux86 systemd[1]: Failed to start Load Kernel Modules. > > > Zhe -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
On 6/26/19 11:00 AM, Bruce Ashfield wrote: > On Tue, Jun 25, 2019 at 6:15 AM wrote: >> From: He Zhe >> >> Since v5.1-rc1, some types of packets do not get unreachable reply with the >> following iptables setting. Fox example, > So what's the upstream status of this ? (I haven't checked netdev yet). It hasn't got reply yet. Maybe will be handled in next version. https://lore.kernel.org/lkml/1561346258-272481-1-git-send-email-zhe...@windriver.com/ Zhe > > Bruce > >> $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT >> $ ping 127.0.0.1 -c 1 >> PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. >> — 127.0.0.1 ping statistics — >> 1 packets transmitted, 0 received, 100% packet loss, time 0ms >> >> We should have got the following reply from command line, but we did not. >> From 127.0.0.1 icmp_seq=1 Destination Port Unreachable >> >> Yi Zhao reported it and narrowed it down to: >> 7fc38225363d ("netfilter: reject: skip csum verification for protocols that >> don't support it"), >> >> This is because nf_ip_checksum still expects pseudo-header protocol type 0 >> for >> packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly >> treated as TCP/UDP. >> >> This patch corrects the conditions in nf_ip_checksum and all other places >> that >> still call it with protocol 0. >> >> Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for >> protocols that don't support it") >> Reported-by: Yi Zhao >> Signed-off-by: He Zhe >> --- >> This has been sent to upstream and would probably be handled next around. >> It's >> worth merging it before that. >> >> net/netfilter/nf_conntrack_proto_icmp.c | 2 +- >> net/netfilter/nf_nat_proto.c| 2 +- >> net/netfilter/utils.c | 5 +++-- >> 3 files changed, 5 insertions(+), 4 deletions(-) >> >> diff --git a/net/netfilter/nf_conntrack_proto_icmp.c >> b/net/netfilter/nf_conntrack_proto_icmp.c >> index a824367..dd53e2b 100644 >> --- a/net/netfilter/nf_conntrack_proto_icmp.c >> +++ b/net/netfilter/nf_conntrack_proto_icmp.c >> @@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, >> /* See ip_conntrack_proto_tcp.c */ >> if (state->net->ct.sysctl_checksum && >> state->hook == NF_INET_PRE_ROUTING && >> - nf_ip_checksum(skb, state->hook, dataoff, 0)) { >> + nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { >> icmp_error_log(skb, state, "bad hw icmp checksum"); >> return -NF_ACCEPT; >> } >> diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c >> index 07da077..83a24cc 100644 >> --- a/net/netfilter/nf_nat_proto.c >> +++ b/net/netfilter/nf_nat_proto.c >> @@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, >> >> if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) >> return 0; >> - if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) >> + if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) >> return 0; >> >> inside = (void *)skb->data + hdrlen; >> diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c >> index 06dc555..51b454d 100644 >> --- a/net/netfilter/utils.c >> +++ b/net/netfilter/utils.c >> @@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int >> hook, >> case CHECKSUM_COMPLETE: >> if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) >> break; >> - if ((protocol == 0 && !csum_fold(skb->csum)) || >> + if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && >> + !csum_fold(skb->csum)) || >> !csum_tcpudp_magic(iph->saddr, iph->daddr, >>skb->len - dataoff, protocol, >>skb->csum)) { >> @@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int >> hook, >> } >> /* fall through */ >> case CHECKSUM_NONE: >> - if (protocol == 0) >> + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) >> skb->csum = 0; >> else >> skb->csum = csum_tcpudp_nofold(iph->saddr, >> iph->daddr, >> -- >> 2.7.4 >> > -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto