Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > For icmp error responses there was no such check. > > It allows to distinguish icmp response generated via > > > > iptables -I INPUT -p udp --dport 42 -j REJECT > > > > and those emitted by network stack (won't respond if csum is invalid, > > REJECT does). > > > > Arguably its possible to avoid this by using conntrack and only using > > REJECT with -m conntrack NEW/RELATED. > > > > However, this doesn't work when connection tracking is not in use or > > when using nf_conntrack_checksum=0. > > > > Furthermore, sending errors in response to invalid csums doesn't make > > much sense so just add similar test as in nf_send_reset. > > Could you also review net/bridge/netfilter/nft_reject_bridge.c? Looks like the ipv6 part doesn't check them either, I'll see how to best address this (ipv4 part looks good). Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
