git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 29 Aug 2025 15:01:02 +0000 (17:01 +0200)
committer	Florian Westphal <fw@strlen.de>
	Thu, 11 Sep 2025 13:40:55 +0000 (15:40 +0200)
commit	db99b2f2b3e2cd8227ac9990ca4a8a31a1e95e56
tree	225951b3f0685d84e74d0a6cbac6060a90c2c9c0	tree \| snapshot
parent	944b6b216c0387ac3050cd8b773819ae360bfb1c	commit \| diff

netfilter: nf_reject: don't reply to icmp error messages

tcp reject code won't reply to a tcp reset.

But the icmp reject 'netdev' family versions will reply to icmp
dst-unreach errors, unlike icmp_send() and icmp6_send() which are used
by the inet family implementation (and internally by the REJECT target).

Check for the icmp(6) type and do not respond if its an unreachable error.

Without this, something like 'ip protocol icmp reject', when used
in a netdev chain attached to 'lo', cause a packet loop.

Same for two hosts that both use such a rule: each error packet
will be replied to.

Such situation persist until the (bogus) rule is amended to ratelimit or
checks the icmp type before the reject statement.

As the inet versions don't do this make the netdev ones follow along.

Signed-off-by: Florian Westphal <fw@strlen.de>

net/ipv4/netfilter/nf_reject_ipv4.c		diff \| blob \| blame \| history
net/ipv6/netfilter/nf_reject_ipv6.c		diff \| blob \| blame \| history