Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On Tue, Jul 2, 2019 at 12:17 PM He Zhe wrote: > > > > On 7/2/19 9:16 PM, He Zhe wrote: > > > > On 7/2/19 9:04 PM, Bruce Ashfield wrote: > >> On Tue, Jul 2, 2019 at 4:54 AM wrote: > >>> From: He Zhe > >>> > >>> The patch has already been applied on the tree. This would trigger > >>> re-application when features/net/net.scc included. > >> Nothing should be including net.scc directly from a KERNEL_FEATURES. > >> It is a patch + config block. > >> So we won't be reverting this. Whatever is triggering that extra > >> patching is using the wrong feature > >> fragment. > >> > >> How exactly are you triggering the issue ? > > I'm triggering the issue from features/net/team/team.scc which includes > > net.scc. > > Would team.scc be considered an acceptable usage? Possibly. But since there's no description in the .scc file, it is hard to say :D But going by the git history, it is possible that it is useful as an optional feature. In situations such as this, we break the included .scc file into an "-enable" and a "config" variant. team.scc should include the config variant, leaving the standard/base, and BSPs to include the full .scc which is both patches and the config. Bruce > > Thanks, > Zhe > > > > > Zhe > > > >> Bruce > >> > >>> This reverts commit b5776165c9d346c30356b9d95debd69588d58323. > >>> --- > >>> features/net/net.scc | 1 - > >>> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 > >>> -- > >>> 2 files changed, 93 deletions(-) > >>> delete mode 100644 > >>> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > >>> > >>> diff --git a/features/net/net.scc b/features/net/net.scc > >>> index 722b320..4a4e0fb 100644 > >>> --- a/features/net/net.scc > >>> +++ b/features/net/net.scc > >>> @@ -1,3 +1,2 @@ > >>> > >>> kconf hardware net.cfg > >>> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > >>> diff --git > >>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > >>> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > >>> deleted file mode 100644 > >>> index d1fdbf9..000 > >>> --- > >>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > >>> +++ /dev/null > >>> @@ -1,92 +0,0 @@ > >>> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 > >>> -From: He Zhe > >>> -Date: Tue, 25 Jun 2019 18:15:50 +0800 > >>> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 > >>> -MIME-Version: 1.0 > >>> -Content-Type: text/plain; charset=UTF-8 > >>> -Content-Transfer-Encoding: 8bit > >>> - > >>> -Since v5.1-rc1, some types of packets do not get unreachable reply with > >>> the > >>> -following iptables setting. Fox example, > >>> - > >>> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT > >>> -$ ping 127.0.0.1 -c 1 > >>> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. > >>> -— 127.0.0.1 ping statistics — > >>> -1 packets transmitted, 0 received, 100% packet loss, time 0ms > >>> - > >>> -We should have got the following reply from command line, but we did not. > >>> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable > >>> - > >>> -Yi Zhao reported it and narrowed it down to: > >>> -7fc38225363d ("netfilter: reject: skip csum verification for protocols > >>> that don't support it"), > >>> - > >>> -This is because nf_ip_checksum still expects pseudo-header protocol type > >>> 0 for > >>> -packets that are of neither TCP or UDP, and thus ICMP packets are > >>> mistakenly > >>> -treated as TCP/UDP. > >>> - > >>> -This patch corrects the conditions in nf_ip_checksum and all other > >>> places that > >>> -still call it with protocol 0. > >>> - > >>> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for > >>> protocols that don't support it") > >>> -Reported-by: Yi Zhao > >>> -Signed-off-by: He Zhe > >>> -Signed-off-by: Bruce Ashfield > >>> > >>> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- > >>> - net/netfilter/nf_nat_proto.c| 2 +- > >>> - net/netfilter/utils.c | 5 +++-- > >>> - 3 files changed, 5 insertions(+), 4 deletions(-) > >>> - > >>> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c > >>> b/net/netfilter/nf_conntrack_proto_icmp.c > >>> -index a824367ed518..dd53e2b20f6b 100644 > >>> a/net/netfilter/nf_conntrack_proto_icmp.c > >>> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c > >>> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, > >>> - /* See ip_conntrack_proto_tcp.c */ > >>> - if (state->net->ct.sysctl_checksum && > >>> - state->hook == NF_INET_PRE_ROUTING && > >>> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) { > >>> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { > >>> - icmp_error_log(skb, state, "bad hw icmp checksum"); > >>> - return -NF_ACCEPT; > >>> - } > >>> -diff --git a/net/netfilter/nf_nat_proto.c b/
Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On 7/2/19 9:16 PM, He Zhe wrote: > > On 7/2/19 9:04 PM, Bruce Ashfield wrote: >> On Tue, Jul 2, 2019 at 4:54 AM wrote: >>> From: He Zhe >>> >>> The patch has already been applied on the tree. This would trigger >>> re-application when features/net/net.scc included. >> Nothing should be including net.scc directly from a KERNEL_FEATURES. >> It is a patch + config block. >> So we won't be reverting this. Whatever is triggering that extra >> patching is using the wrong feature >> fragment. >> >> How exactly are you triggering the issue ? > I'm triggering the issue from features/net/team/team.scc which includes > net.scc. Would team.scc be considered an acceptable usage? Thanks, Zhe > > Zhe > >> Bruce >> >>> This reverts commit b5776165c9d346c30356b9d95debd69588d58323. >>> --- >>> features/net/net.scc | 1 - >>> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 >>> -- >>> 2 files changed, 93 deletions(-) >>> delete mode 100644 >>> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >>> >>> diff --git a/features/net/net.scc b/features/net/net.scc >>> index 722b320..4a4e0fb 100644 >>> --- a/features/net/net.scc >>> +++ b/features/net/net.scc >>> @@ -1,3 +1,2 @@ >>> >>> kconf hardware net.cfg >>> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >>> diff --git >>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >>> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >>> deleted file mode 100644 >>> index d1fdbf9..000 >>> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >>> +++ /dev/null >>> @@ -1,92 +0,0 @@ >>> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 >>> -From: He Zhe >>> -Date: Tue, 25 Jun 2019 18:15:50 +0800 >>> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 >>> -MIME-Version: 1.0 >>> -Content-Type: text/plain; charset=UTF-8 >>> -Content-Transfer-Encoding: 8bit >>> - >>> -Since v5.1-rc1, some types of packets do not get unreachable reply with the >>> -following iptables setting. Fox example, >>> - >>> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT >>> -$ ping 127.0.0.1 -c 1 >>> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. >>> -— 127.0.0.1 ping statistics — >>> -1 packets transmitted, 0 received, 100% packet loss, time 0ms >>> - >>> -We should have got the following reply from command line, but we did not. >>> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable >>> - >>> -Yi Zhao reported it and narrowed it down to: >>> -7fc38225363d ("netfilter: reject: skip csum verification for protocols >>> that don't support it"), >>> - >>> -This is because nf_ip_checksum still expects pseudo-header protocol type 0 >>> for >>> -packets that are of neither TCP or UDP, and thus ICMP packets are >>> mistakenly >>> -treated as TCP/UDP. >>> - >>> -This patch corrects the conditions in nf_ip_checksum and all other places >>> that >>> -still call it with protocol 0. >>> - >>> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for >>> protocols that don't support it") >>> -Reported-by: Yi Zhao >>> -Signed-off-by: He Zhe >>> -Signed-off-by: Bruce Ashfield >>> >>> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- >>> - net/netfilter/nf_nat_proto.c| 2 +- >>> - net/netfilter/utils.c | 5 +++-- >>> - 3 files changed, 5 insertions(+), 4 deletions(-) >>> - >>> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c >>> b/net/netfilter/nf_conntrack_proto_icmp.c >>> -index a824367ed518..dd53e2b20f6b 100644 >>> a/net/netfilter/nf_conntrack_proto_icmp.c >>> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c >>> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, >>> - /* See ip_conntrack_proto_tcp.c */ >>> - if (state->net->ct.sysctl_checksum && >>> - state->hook == NF_INET_PRE_ROUTING && >>> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) { >>> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { >>> - icmp_error_log(skb, state, "bad hw icmp checksum"); >>> - return -NF_ACCEPT; >>> - } >>> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c >>> -index 07da07788f6b..83a24cc5753b 100644 >>> a/net/netfilter/nf_nat_proto.c >>> -+++ b/net/netfilter/nf_nat_proto.c >>> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, >>> - >>> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) >>> - return 0; >>> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) >>> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) >>> - return 0; >>> - >>> - inside = (void *)skb->data + hdrlen; >>> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c >>> -index 06dc55590441..51b454d8fa9c 100644 >>> a/net/netfilter/utils.c >>> -+++ b/net/netfilter
Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On 7/2/19 9:04 PM, Bruce Ashfield wrote: > On Tue, Jul 2, 2019 at 4:54 AM wrote: >> From: He Zhe >> >> The patch has already been applied on the tree. This would trigger >> re-application when features/net/net.scc included. > Nothing should be including net.scc directly from a KERNEL_FEATURES. > It is a patch + config block. > So we won't be reverting this. Whatever is triggering that extra > patching is using the wrong feature > fragment. > > How exactly are you triggering the issue ? I'm triggering the issue from features/net/team/team.scc which includes net.scc. Zhe > > Bruce > >> This reverts commit b5776165c9d346c30356b9d95debd69588d58323. >> --- >> features/net/net.scc | 1 - >> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 >> -- >> 2 files changed, 93 deletions(-) >> delete mode 100644 >> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> >> diff --git a/features/net/net.scc b/features/net/net.scc >> index 722b320..4a4e0fb 100644 >> --- a/features/net/net.scc >> +++ b/features/net/net.scc >> @@ -1,3 +1,2 @@ >> >> kconf hardware net.cfg >> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> diff --git >> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> deleted file mode 100644 >> index d1fdbf9..000 >> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> +++ /dev/null >> @@ -1,92 +0,0 @@ >> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 >> -From: He Zhe >> -Date: Tue, 25 Jun 2019 18:15:50 +0800 >> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 >> -MIME-Version: 1.0 >> -Content-Type: text/plain; charset=UTF-8 >> -Content-Transfer-Encoding: 8bit >> - >> -Since v5.1-rc1, some types of packets do not get unreachable reply with the >> -following iptables setting. Fox example, >> - >> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT >> -$ ping 127.0.0.1 -c 1 >> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. >> -— 127.0.0.1 ping statistics — >> -1 packets transmitted, 0 received, 100% packet loss, time 0ms >> - >> -We should have got the following reply from command line, but we did not. >> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable >> - >> -Yi Zhao reported it and narrowed it down to: >> -7fc38225363d ("netfilter: reject: skip csum verification for protocols that >> don't support it"), >> - >> -This is because nf_ip_checksum still expects pseudo-header protocol type 0 >> for >> -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly >> -treated as TCP/UDP. >> - >> -This patch corrects the conditions in nf_ip_checksum and all other places >> that >> -still call it with protocol 0. >> - >> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for >> protocols that don't support it") >> -Reported-by: Yi Zhao >> -Signed-off-by: He Zhe >> -Signed-off-by: Bruce Ashfield >> >> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- >> - net/netfilter/nf_nat_proto.c| 2 +- >> - net/netfilter/utils.c | 5 +++-- >> - 3 files changed, 5 insertions(+), 4 deletions(-) >> - >> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c >> b/net/netfilter/nf_conntrack_proto_icmp.c >> -index a824367ed518..dd53e2b20f6b 100644 >> a/net/netfilter/nf_conntrack_proto_icmp.c >> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c >> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, >> - /* See ip_conntrack_proto_tcp.c */ >> - if (state->net->ct.sysctl_checksum && >> - state->hook == NF_INET_PRE_ROUTING && >> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) { >> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { >> - icmp_error_log(skb, state, "bad hw icmp checksum"); >> - return -NF_ACCEPT; >> - } >> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c >> -index 07da07788f6b..83a24cc5753b 100644 >> a/net/netfilter/nf_nat_proto.c >> -+++ b/net/netfilter/nf_nat_proto.c >> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, >> - >> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) >> - return 0; >> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) >> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) >> - return 0; >> - >> - inside = (void *)skb->data + hdrlen; >> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c >> -index 06dc55590441..51b454d8fa9c 100644 >> a/net/netfilter/utils.c >> -+++ b/net/netfilter/utils.c >> -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int >> hook, >> - case CHECKSUM_COMPLETE: >> - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) >> -
Re: [linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
On Tue, Jul 2, 2019 at 4:54 AM wrote: > > From: He Zhe > > The patch has already been applied on the tree. This would trigger > re-application when features/net/net.scc included. Nothing should be including net.scc directly from a KERNEL_FEATURES. It is a patch + config block. So we won't be reverting this. Whatever is triggering that extra patching is using the wrong feature fragment. How exactly are you triggering the issue ? Bruce > > This reverts commit b5776165c9d346c30356b9d95debd69588d58323. > --- > features/net/net.scc | 1 - > ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 > -- > 2 files changed, 93 deletions(-) > delete mode 100644 > features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > > diff --git a/features/net/net.scc b/features/net/net.scc > index 722b320..4a4e0fb 100644 > --- a/features/net/net.scc > +++ b/features/net/net.scc > @@ -1,3 +1,2 @@ > > kconf hardware net.cfg > -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > diff --git > a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > deleted file mode 100644 > index d1fdbf9..000 > --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch > +++ /dev/null > @@ -1,92 +0,0 @@ > -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 > -From: He Zhe > -Date: Tue, 25 Jun 2019 18:15:50 +0800 > -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=UTF-8 > -Content-Transfer-Encoding: 8bit > - > -Since v5.1-rc1, some types of packets do not get unreachable reply with the > -following iptables setting. Fox example, > - > -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT > -$ ping 127.0.0.1 -c 1 > -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. > -— 127.0.0.1 ping statistics — > -1 packets transmitted, 0 received, 100% packet loss, time 0ms > - > -We should have got the following reply from command line, but we did not. > -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable > - > -Yi Zhao reported it and narrowed it down to: > -7fc38225363d ("netfilter: reject: skip csum verification for protocols that > don't support it"), > - > -This is because nf_ip_checksum still expects pseudo-header protocol type 0 > for > -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly > -treated as TCP/UDP. > - > -This patch corrects the conditions in nf_ip_checksum and all other places > that > -still call it with protocol 0. > - > -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for > protocols that don't support it") > -Reported-by: Yi Zhao > -Signed-off-by: He Zhe > -Signed-off-by: Bruce Ashfield > > - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- > - net/netfilter/nf_nat_proto.c| 2 +- > - net/netfilter/utils.c | 5 +++-- > - 3 files changed, 5 insertions(+), 4 deletions(-) > - > -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c > b/net/netfilter/nf_conntrack_proto_icmp.c > -index a824367ed518..dd53e2b20f6b 100644 > a/net/netfilter/nf_conntrack_proto_icmp.c > -+++ b/net/netfilter/nf_conntrack_proto_icmp.c > -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, > - /* See ip_conntrack_proto_tcp.c */ > - if (state->net->ct.sysctl_checksum && > - state->hook == NF_INET_PRE_ROUTING && > -- nf_ip_checksum(skb, state->hook, dataoff, 0)) { > -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { > - icmp_error_log(skb, state, "bad hw icmp checksum"); > - return -NF_ACCEPT; > - } > -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c > -index 07da07788f6b..83a24cc5753b 100644 > a/net/netfilter/nf_nat_proto.c > -+++ b/net/netfilter/nf_nat_proto.c > -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, > - > - if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) > - return 0; > -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) > -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) > - return 0; > - > - inside = (void *)skb->data + hdrlen; > -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c > -index 06dc55590441..51b454d8fa9c 100644 > a/net/netfilter/utils.c > -+++ b/net/netfilter/utils.c > -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int > hook, > - case CHECKSUM_COMPLETE: > - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) > - break; > -- if ((protocol == 0 && !csum_fold(skb->csum)) || > -+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && > -+ !csum_fold(skb->csum)) || > - !csum_tcpudp_magic(ip
[linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
From: He Zhe The patch has already been applied on the tree. This would trigger re-application when features/net/net.scc included. This reverts commit b5776165c9d346c30356b9d95debd69588d58323. --- features/net/net.scc | 1 - ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 -- 2 files changed, 93 deletions(-) delete mode 100644 features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch diff --git a/features/net/net.scc b/features/net/net.scc index 722b320..4a4e0fb 100644 --- a/features/net/net.scc +++ b/features/net/net.scc @@ -1,3 +1,2 @@ kconf hardware net.cfg -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch diff --git a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch deleted file mode 100644 index d1fdbf9..000 --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch +++ /dev/null @@ -1,92 +0,0 @@ -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 -From: He Zhe -Date: Tue, 25 Jun 2019 18:15:50 +0800 -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since v5.1-rc1, some types of packets do not get unreachable reply with the -following iptables setting. Fox example, - -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT -$ ping 127.0.0.1 -c 1 -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. -— 127.0.0.1 ping statistics — -1 packets transmitted, 0 received, 100% packet loss, time 0ms - -We should have got the following reply from command line, but we did not. -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable - -Yi Zhao reported it and narrowed it down to: -7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"), - -This is because nf_ip_checksum still expects pseudo-header protocol type 0 for -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly -treated as TCP/UDP. - -This patch corrects the conditions in nf_ip_checksum and all other places that -still call it with protocol 0. - -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it") -Reported-by: Yi Zhao -Signed-off-by: He Zhe -Signed-off-by: Bruce Ashfield - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- - net/netfilter/nf_nat_proto.c| 2 +- - net/netfilter/utils.c | 5 +++-- - 3 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c -index a824367ed518..dd53e2b20f6b 100644 a/net/netfilter/nf_conntrack_proto_icmp.c -+++ b/net/netfilter/nf_conntrack_proto_icmp.c -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, - /* See ip_conntrack_proto_tcp.c */ - if (state->net->ct.sysctl_checksum && - state->hook == NF_INET_PRE_ROUTING && -- nf_ip_checksum(skb, state->hook, dataoff, 0)) { -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { - icmp_error_log(skb, state, "bad hw icmp checksum"); - return -NF_ACCEPT; - } -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c -index 07da07788f6b..83a24cc5753b 100644 a/net/netfilter/nf_nat_proto.c -+++ b/net/netfilter/nf_nat_proto.c -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, - - if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) - return 0; -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) - return 0; - - inside = (void *)skb->data + hdrlen; -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c -index 06dc55590441..51b454d8fa9c 100644 a/net/netfilter/utils.c -+++ b/net/netfilter/utils.c -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, - case CHECKSUM_COMPLETE: - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) - break; -- if ((protocol == 0 && !csum_fold(skb->csum)) || -+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && -+ !csum_fold(skb->csum)) || - !csum_tcpudp_magic(iph->saddr, iph->daddr, - skb->len - dataoff, protocol, - skb->csum)) { -@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, - } - /* fall through */ - case CHECKSUM_NONE: -- if (protocol == 0) -+ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) - skb->csum = 0; - else - skb->csum = csum_tcpudp_nofol