git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	He Zhe <zhe.he@windriver.com>
	Mon, 24 Jun 2019 03:17:38 +0000 (11:17 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 26 Jul 2019 07:12:47 +0000 (09:12 +0200)
commit	7bc8dfa08807e0ab31fb870e4ed0d3355b7acdca
tree	34b78610fc0c27cd664966685d4b8ba21e52a545	tree \| snapshot
parent	91adaf0eb7bd981ca7c6d7b37823d69bd87bf3af	commit \| diff

netfilter: Fix remainder of pseudo-header protocol 0

[ Upstream commit 5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8 ]

Since v5.1-rc1, some types of packets do not get unreachable reply with the
following iptables setting. Fox example,

$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
$ ping 127.0.0.1 -c 1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
— 127.0.0.1 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms

We should have got the following reply from command line, but we did not.
From 127.0.0.1 icmp_seq=1 Destination Port Unreachable

Yi Zhao reported it and narrowed it down to:
7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"),

This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
treated as TCP/UDP.

This patch corrects the conditions in nf_ip_checksum and all other places that
still call it with protocol 0.

Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it")
Reported-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/netfilter/nf_conntrack_proto_icmp.c		diff \| blob \| blame \| history
net/netfilter/nf_nat_proto.c		diff \| blob \| blame \| history
net/netfilter/utils.c		diff \| blob \| blame \| history