Hi Pablo,
On Tue, Feb 12, 2019 at 12:50 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> Hi Alin,
>
> On Tue, Feb 12, 2019 at 12:45:51AM +0100, Pablo Neira Ayuso wrote:
> > On Fri, Feb 08, 2019 at 02:15:24PM +0100, Alin Nastac wrote:
> > > From: Alin Nastac <alin.nastac@xxxxxxxxx>
> > >
> > > Some protocols have other means to verify the payload integrity
> > > (AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum
> > > implementation because checksum is either optional or might be
> > > partial (UDPLITE, DCCP, GRE). Because nf_ip(6)_checksum was used
> > > to validate the packets, ip(6)tables REJECT rules were not capable
> > > to generate ICMP(v6) errors for the protocols mentioned above.
> > >
> > > This commit also fixes the incorrect pseudo-header protocol used
> > > for IPv4 packets that carry other transport protocols than TCP or
> > > UDP (pseudo-header used protocol 0 iso the proper value).
>
> Sorry, I just realized that we are not updating:
>
> net/bridge/netfilter/nft_reject_bridge.c
>
> Probably we can place this:
>
> + proto = iph->protocol;
> + switch (proto) {
> + /* Protocols with other integrity checks. */
> + case IPPROTO_AH:
> + case IPPROTO_ESP:
> + case IPPROTO_SCTP:
> +
> + /* Protocols with partial checksums. */
> + case IPPROTO_UDPLITE:
> + case IPPROTO_DCCP:
> +
> + /* Protocols with optional checksums. */
> + case IPPROTO_GRE:
> + goto send_unreach;
> }
>
> into an inline function in include/net/netfilter/nf_reject.h and use
> it from these three spots?
The pseudo-header proto=0 issue must also be addressed in
net/bridge/netfilter/nft_reject_bridge.c.
I see you haven't pushed yet my commit. Do you want me to issue the
2nd version of this patch?
