• He Zhe's avatar
    netfilter: Fix remainder of pseudo-header protocol 0 · 5d154984
    He Zhe authored
    Since v5.1-rc1, some types of packets do not get unreachable reply with the
    following iptables setting. Fox example,
    
    $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
    $ ping 127.0.0.1 -c 1
    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
    — 127.0.0.1 ping statistics —
    1 packets transmitted, 0 received, 100% packet loss, time 0ms
    
    We should have got the following reply from command line, but we did not.
    From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
    
    Yi Zhao reported it and narrowed it down to:
    7fc38225 ("netfilter: reject: skip csum verification for protocols that don't support it"),
    
    This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
    packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
    treated as TCP/UDP.
    
    This patch corrects the conditions in nf_ip_checksum and all other places that
    still call it with protocol 0.
    
    Fixes: 7fc38225 ("netfilter: reject: skip csum verification for protocols that don't support it")
    Reported-by: default avatarYi Zhao <yi.zhao@windriver.com>
    Signed-off-by: default avatarHe Zhe <zhe.he@windriver.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    5d154984
utils.c 5.31 KB