On Thu, Jan 29, 2015 at 10:59:46AM +0100, Florian Westphal wrote: > tcp resets are never emitted if the packet that triggers the > reject/reset has an invalid checksum. > > For icmp error responses there was no such check. > It allows to distinguish icmp response generated via > > iptables -I INPUT -p udp --dport 42 -j REJECT > > and those emitted by network stack (won't respond if csum is invalid, > REJECT does). > > Arguably its possible to avoid this by using conntrack and only using > REJECT with -m conntrack NEW/RELATED. > > However, this doesn't work when connection tracking is not in use or > when using nf_conntrack_checksum=0. > > Furthermore, sending errors in response to invalid csums doesn't make > much sense so just add similar test as in nf_send_reset. Could you also review net/bridge/netfilter/nft_reject_bridge.c? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
