From: Alin Nastac <alin.nastac@xxxxxxxxx>
Typically transport protocols such as TCP and UDP use an IP
pseudo-header for their checksum computation, but ICMP does not
use it.
Fixes: 7fc38225363dd ("netfilter: reject: skip csum verification for protocols that don't support it")
Signed-off-by: Alin Nastac <alin.nastac@xxxxxxxxx>
---
net/ipv4/netfilter/nf_reject_ipv4.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 2361fda..4d2e956 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -180,6 +180,10 @@ void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
return;
}
+ /* ICMP checksum computation does not use an IP pseudo-header */
+ if (proto == IPPROTO_ICMP)
+ proto = 0;
+
if (nf_ip_checksum(skb_in, hook, ip_hdrlen(skb_in), proto) == 0)
icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
}
--
2.7.4
