[linux-yocto] [kernel-cache][PATCH 1/2] Revert "netfilter: Fix remainder of pseudo-header protocol 0"
He Zhe
zhe.he at windriver.com
Tue Jul 2 09:17:24 PDT 2019
On 7/2/19 9:16 PM, He Zhe wrote:
>
> On 7/2/19 9:04 PM, Bruce Ashfield wrote:
>> On Tue, Jul 2, 2019 at 4:54 AM <zhe.he at windriver.com> wrote:
>>> From: He Zhe <zhe.he at windriver.com>
>>>
>>> The patch has already been applied on the tree. This would trigger
>>> re-application when features/net/net.scc included.
>> Nothing should be including net.scc directly from a KERNEL_FEATURES.
>> It is a patch + config block.
>> So we won't be reverting this. Whatever is triggering that extra
>> patching is using the wrong feature
>> fragment.
>>
>> How exactly are you triggering the issue ?
> I'm triggering the issue from features/net/team/team.scc which includes net.scc.
Would team.scc be considered an acceptable usage?
Thanks,
Zhe
>
> Zhe
>
>> Bruce
>>
>>> This reverts commit b5776165c9d346c30356b9d95debd69588d58323.
>>> ---
>>> features/net/net.scc | 1 -
>>> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 ----------------------
>>> 2 files changed, 93 deletions(-)
>>> delete mode 100644 features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>>
>>> diff --git a/features/net/net.scc b/features/net/net.scc
>>> index 722b320..4a4e0fb 100644
>>> --- a/features/net/net.scc
>>> +++ b/features/net/net.scc
>>> @@ -1,3 +1,2 @@
>>>
>>> kconf hardware net.cfg
>>> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>> diff --git a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>> deleted file mode 100644
>>> index d1fdbf9..0000000
>>> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>> +++ /dev/null
>>> @@ -1,92 +0,0 @@
>>> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
>>> -From: He Zhe <zhe.he at windriver.com>
>>> -Date: Tue, 25 Jun 2019 18:15:50 +0800
>>> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
>>> -MIME-Version: 1.0
>>> -Content-Type: text/plain; charset=UTF-8
>>> -Content-Transfer-Encoding: 8bit
>>> -
>>> -Since v5.1-rc1, some types of packets do not get unreachable reply with the
>>> -following iptables setting. Fox example,
>>> -
>>> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
>>> -$ ping 127.0.0.1 -c 1
>>> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
>>> -— 127.0.0.1 ping statistics —
>>> -1 packets transmitted, 0 received, 100% packet loss, time 0ms
>>> -
>>> -We should have got the following reply from command line, but we did not.
>>> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
>>> -
>>> -Yi Zhao reported it and narrowed it down to:
>>> -7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"),
>>> -
>>> -This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
>>> -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
>>> -treated as TCP/UDP.
>>> -
>>> -This patch corrects the conditions in nf_ip_checksum and all other places that
>>> -still call it with protocol 0.
>>> -
>>> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it")
>>> -Reported-by: Yi Zhao <yi.zhao at windriver.com>
>>> -Signed-off-by: He Zhe <zhe.he at windriver.com>
>>> -Signed-off-by: Bruce Ashfield <bruce.ashfield at gmail.com>
>>> ----
>>> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
>>> - net/netfilter/nf_nat_proto.c | 2 +-
>>> - net/netfilter/utils.c | 5 +++--
>>> - 3 files changed, 5 insertions(+), 4 deletions(-)
>>> -
>>> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
>>> -index a824367ed518..dd53e2b20f6b 100644
>>> ---- a/net/netfilter/nf_conntrack_proto_icmp.c
>>> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c
>>> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
>>> - /* See ip_conntrack_proto_tcp.c */
>>> - if (state->net->ct.sysctl_checksum &&
>>> - state->hook == NF_INET_PRE_ROUTING &&
>>> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
>>> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
>>> - icmp_error_log(skb, state, "bad hw icmp checksum");
>>> - return -NF_ACCEPT;
>>> - }
>>> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
>>> -index 07da07788f6b..83a24cc5753b 100644
>>> ---- a/net/netfilter/nf_nat_proto.c
>>> -+++ b/net/netfilter/nf_nat_proto.c
>>> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
>>> -
>>> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
>>> - return 0;
>>> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
>>> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
>>> - return 0;
>>> -
>>> - inside = (void *)skb->data + hdrlen;
>>> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
>>> -index 06dc55590441..51b454d8fa9c 100644
>>> ---- a/net/netfilter/utils.c
>>> -+++ b/net/netfilter/utils.c
>>> -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
>>> - case CHECKSUM_COMPLETE:
>>> - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
>>> - break;
>>> -- if ((protocol == 0 && !csum_fold(skb->csum)) ||
>>> -+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
>>> -+ !csum_fold(skb->csum)) ||
>>> - !csum_tcpudp_magic(iph->saddr, iph->daddr,
>>> - skb->len - dataoff, protocol,
>>> - skb->csum)) {
>>> -@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
>>> - }
>>> - /* fall through */
>>> - case CHECKSUM_NONE:
>>> -- if (protocol == 0)
>>> -+ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
>>> - skb->csum = 0;
>>> - else
>>> - skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
>>> ---
>>> -2.19.1
>>> -
>>> --
>>> 2.7.4
>>>
>> --
>> - Thou shalt not follow the NULL pointer, for chaos and madness await
>> thee at its end
>> - "Use the force Harry" - Gandalf, Star Trek II
>>
More information about the linux-yocto
mailing list