On Mon, Feb 16, 2015 at 06:54:04PM +0100, Florian Westphal wrote: > tcp resets are never emitted if the packet that triggers the > reject/reset has an invalid checksum. > > For icmp error responses there was no such check. > It allows to distinguish icmp response generated via > > iptables -I INPUT -p udp --dport 42 -j REJECT > > and those emitted by network stack (won't respond if csum is invalid, > REJECT does). > > Arguably its possible to avoid this by using conntrack and only > using REJECT with -m conntrack NEW/RELATED. > > However, this doesn't work when connection tracking is not in use > or when using nf_conntrack_checksum=0. > > Furthermore, sending errors in response to invalid csums doesn't make > much sense so just add similar test as in nf_send_reset. > > Validate csum if needed and only send the response if it is ok. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
