[linux-yocto] [kernel-cache][PATCH 2/2] netfilter: Fix remainder of pseudo-header protocol 0
zhe.he at windriver.com
zhe.he at windriver.com
Tue Jul 2 01:54:02 PDT 2019
From: He Zhe <zhe.he at windriver.com>
1/1 [
Author: He Zhe
Email: zhe.he at windriver.com
Subject: netfilter: Fix remainder of pseudo-header protocol 0
Date: Tue, 25 Jun 2019 18:15:50 +0800
Since v5.1-rc1, some types of packets do not get unreachable reply with the
following iptables setting. Fox example,
$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
$ ping 127.0.0.1 -c 1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
— 127.0.0.1 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms
We should have got the following reply from command line, but we did not.
>From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
Yi Zhao reported it and narrowed it down to:
7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"),
This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
treated as TCP/UDP.
This patch corrects the conditions in nf_ip_checksum and all other places that
still call it with protocol 0.
Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it")
Reported-by: Yi Zhao <yi.zhao at windriver.com>
Signed-off-by: He Zhe <zhe.he at windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield at gmail.com>
]
Signed-off-by: He Zhe <zhe.he at windriver.com>
---
patches/net/net.scc | 1 +
...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 ++++++++++++++++++++++
2 files changed, 93 insertions(+)
create mode 100644 patches/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
diff --git a/patches/net/net.scc b/patches/net/net.scc
index 2b32bc7..d09118a 100644
--- a/patches/net/net.scc
+++ b/patches/net/net.scc
@@ -1 +1,2 @@
patch Resolve-jiffies-wrapping-about-arp.patch
+patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
diff --git a/patches/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch b/patches/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
new file mode 100644
index 0000000..d1fdbf9
--- /dev/null
+++ b/patches/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
@@ -0,0 +1,92 @@
+From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he at windriver.com>
+Date: Tue, 25 Jun 2019 18:15:50 +0800
+Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since v5.1-rc1, some types of packets do not get unreachable reply with the
+following iptables setting. Fox example,
+
+$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
+$ ping 127.0.0.1 -c 1
+PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
+— 127.0.0.1 ping statistics —
+1 packets transmitted, 0 received, 100% packet loss, time 0ms
+
+We should have got the following reply from command line, but we did not.
+From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
+
+Yi Zhao reported it and narrowed it down to:
+7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"),
+
+This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
+packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
+treated as TCP/UDP.
+
+This patch corrects the conditions in nf_ip_checksum and all other places that
+still call it with protocol 0.
+
+Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it")
+Reported-by: Yi Zhao <yi.zhao at windriver.com>
+Signed-off-by: He Zhe <zhe.he at windriver.com>
+Signed-off-by: Bruce Ashfield <bruce.ashfield at gmail.com>
+---
+ net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
+ net/netfilter/nf_nat_proto.c | 2 +-
+ net/netfilter/utils.c | 5 +++--
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
+index a824367ed518..dd53e2b20f6b 100644
+--- a/net/netfilter/nf_conntrack_proto_icmp.c
++++ b/net/netfilter/nf_conntrack_proto_icmp.c
+@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
+ /* See ip_conntrack_proto_tcp.c */
+ if (state->net->ct.sysctl_checksum &&
+ state->hook == NF_INET_PRE_ROUTING &&
+- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
++ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
+ icmp_error_log(skb, state, "bad hw icmp checksum");
+ return -NF_ACCEPT;
+ }
+diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
+index 07da07788f6b..83a24cc5753b 100644
+--- a/net/netfilter/nf_nat_proto.c
++++ b/net/netfilter/nf_nat_proto.c
+@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
+
+ if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
+ return 0;
+- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
++ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
+ return 0;
+
+ inside = (void *)skb->data + hdrlen;
+diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
+index 06dc55590441..51b454d8fa9c 100644
+--- a/net/netfilter/utils.c
++++ b/net/netfilter/utils.c
+@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ case CHECKSUM_COMPLETE:
+ if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
+ break;
+- if ((protocol == 0 && !csum_fold(skb->csum)) ||
++ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
++ !csum_fold(skb->csum)) ||
+ !csum_tcpudp_magic(iph->saddr, iph->daddr,
+ skb->len - dataoff, protocol,
+ skb->csum)) {
+@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ }
+ /* fall through */
+ case CHECKSUM_NONE:
+- if (protocol == 0)
++ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
+ skb->csum = 0;
+ else
+ skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
+--
+2.19.1
+
--
2.7.4
More information about the linux-yocto
mailing list