Hi Alin,
On Tue, Feb 12, 2019 at 12:45:51AM +0100, Pablo Neira Ayuso wrote:
> On Fri, Feb 08, 2019 at 02:15:24PM +0100, Alin Nastac wrote:
> > From: Alin Nastac <alin.nastac@xxxxxxxxx>
> >
> > Some protocols have other means to verify the payload integrity
> > (AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum
> > implementation because checksum is either optional or might be
> > partial (UDPLITE, DCCP, GRE). Because nf_ip(6)_checksum was used
> > to validate the packets, ip(6)tables REJECT rules were not capable
> > to generate ICMP(v6) errors for the protocols mentioned above.
> >
> > This commit also fixes the incorrect pseudo-header protocol used
> > for IPv4 packets that carry other transport protocols than TCP or
> > UDP (pseudo-header used protocol 0 iso the proper value).
Sorry, I just realized that we are not updating:
net/bridge/netfilter/nft_reject_bridge.c
Probably we can place this:
+ proto = iph->protocol;
+ switch (proto) {
+ /* Protocols with other integrity checks. */
+ case IPPROTO_AH:
+ case IPPROTO_ESP:
+ case IPPROTO_SCTP:
+
+ /* Protocols with partial checksums. */
+ case IPPROTO_UDPLITE:
+ case IPPROTO_DCCP:
+
+ /* Protocols with optional checksums. */
+ case IPPROTO_GRE:
+ goto send_unreach;
}
into an inline function in include/net/netfilter/nf_reject.h and use
it from these three spots?
Thanks!
