netfilter: nf_reject: don't reply to icmp error messages

[ Upstream commit db99b2f2b3e2cd8227ac9990ca4a8a31a1e95e56 ]

tcp reject code won't reply to a tcp reset.

But the icmp reject 'netdev' family versions will reply to icmp
dst-unreach errors, unlike icmp_send() and icmp6_send() which are used
by the inet family implementation (and internally by the REJECT target).

Check for the icmp(6) type and do not respond if its an unreachable error.

Without this, something like 'ip protocol icmp reject', when used
in a netdev chain attached to 'lo', cause a packet loop.

Same for two hosts that both use such a rule: each error packet
will be replied to.

Such situation persist until the (bogus) rule is amended to ratelimit or
checks the icmp type before the reject statement.

As the inet versions don't do this make the netdev ones follow along.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 0d3cb2ba6fc84164dc513049ec4c7dbff652425e..a7a3439fe78004c188f3e451770d702ac6d206e1 100644 (file)
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -71,6 +71,27 @@ struct sk_buff *nf_reject_skb_v4_tcp_reset(struct net *net,
 }
 EXPORT_SYMBOL_GPL(nf_reject_skb_v4_tcp_reset);
 
+static bool nf_skb_is_icmp_unreach(const struct sk_buff *skb)
+{
+       const struct iphdr *iph = ip_hdr(skb);
+       u8 *tp, _type;
+       int thoff;
+
+       if (iph->protocol != IPPROTO_ICMP)
+               return false;
+
+       thoff = skb_network_offset(skb) + sizeof(*iph);
+
+       tp = skb_header_pointer(skb,
+                               thoff + offsetof(struct icmphdr, type),
+                               sizeof(_type), &_type);
+
+       if (!tp)
+               return false;
+
+       return *tp == ICMP_DEST_UNREACH;
+}
+
 struct sk_buff *nf_reject_skb_v4_unreach(struct net *net,
                                         struct sk_buff *oldskb,
                                         const struct net_device *dev,
@@ -91,6 +112,10 @@ struct sk_buff *nf_reject_skb_v4_unreach(struct net *net,
        if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
                return NULL;
 
+       /* don't reply to ICMP_DEST_UNREACH with ICMP_DEST_UNREACH. */
+       if (nf_skb_is_icmp_unreach(oldskb))
+               return NULL;
+
        /* RFC says return as much as we can without exceeding 576 bytes. */
        len = min_t(unsigned int, 536, oldskb->len);
 

diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index c3d64c4b69d7deff5fe07ea40dfa03d6b88556d4..84afa0cbc902145cb7ba22bd6e835b2869e70bf9 100644 (file)
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -91,6 +91,32 @@ struct sk_buff *nf_reject_skb_v6_tcp_reset(struct net *net,
 }
 EXPORT_SYMBOL_GPL(nf_reject_skb_v6_tcp_reset);
 
+static bool nf_skb_is_icmp6_unreach(const struct sk_buff *skb)
+{
+       const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+       u8 proto = ip6h->nexthdr;
+       u8 _type, *tp;
+       int thoff;
+       __be16 fo;
+
+       thoff = ipv6_skip_exthdr(skb, ((u8 *)(ip6h + 1) - skb->data), &proto, &fo);
+
+       if (thoff < 0 || thoff >= skb->len || fo != 0)
+               return false;
+
+       if (proto != IPPROTO_ICMPV6)
+               return false;
+
+       tp = skb_header_pointer(skb,
+                               thoff + offsetof(struct icmp6hdr, icmp6_type),
+                               sizeof(_type), &_type);
+
+       if (!tp)
+               return false;
+
+       return *tp == ICMPV6_DEST_UNREACH;
+}
+
 struct sk_buff *nf_reject_skb_v6_unreach(struct net *net,
                                         struct sk_buff *oldskb,
                                         const struct net_device *dev,
@@ -104,6 +130,10 @@ struct sk_buff *nf_reject_skb_v6_unreach(struct net *net,
        if (!nf_reject_ip6hdr_validate(oldskb))
                return NULL;
 
+       /* Don't reply to ICMPV6_DEST_UNREACH with ICMPV6_DEST_UNREACH */
+       if (nf_skb_is_icmp6_unreach(oldskb))
+               return NULL;
+
        /* Include "As much of invoking packet as possible without the ICMPv6
         * packet exceeding the minimum IPv6 MTU" in the ICMP payload.
         */