Re: [PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

On Mon, Jun 20, 2016 at 09:26:28PM +0800, Liping Zhang wrote: > From: Liping Zhang > > In iptables, if the user add a rule to send tcp RST and specify the > non-TCP protocol, such as UDP, kernel will reject this request. But > in nftables, this validity check only

Re: [PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

On Tue, Jun 21, 2016 at 04:03:01PM -0300, Marcelo Ricardo Leitner wrote: > On Tue, Jun 21, 2016 at 09:35:55AM +0800, Liping Zhang wrote: > > For example, when tcp->rst is set, reject_ip6 will call > > pr_debug("RST is set\n"), while there's nothing in reject_ip4. > > > > IMO, these debug

Re: [PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

On Tue, Jun 21, 2016 at 09:35:55AM +0800, Liping Zhang wrote: > Hi Marcelo, > > 2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner > : > > > > A different check/log is made for ip6: > > nf_reject_ip6_tcphdr_get(): > > /* IP header checks: fragment, too short.

Re: [PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

Hi Marcelo, 2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner : > > A different check/log is made for ip6: > nf_reject_ip6_tcphdr_get(): > /* IP header checks: fragment, too short. */ > if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) { >

[PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

From: Liping Zhang In iptables, if the user add a rule to send tcp RST and specify the non-TCP protocol, such as UDP, kernel will reject this request. But in nftables, this validity check only occurs in nft tool, i.e. only in userspace. This means that user can add