diff options
author | Phil Oester <kernel@linuxace.com> | 2013-06-26 17:16:28 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-08-27 18:13:12 -0400 |
commit | affe759dbaa9e6c08b0da0a11d1933b61f199f51 (patch) | |
tree | f232ec8dcf549c3903b3a959480e79e9dba573c1 /net | |
parent | 35fdb94b453bc69b7bc74b717f1e03d41d4bcdba (diff) |
netfilter: ip[6]t_REJECT: tcp-reset using wrong MAC source if bridged
As reported by Casper Gripenberg, in a bridged setup, using ip[6]t_REJECT
with the tcp-reset option sends out reset packets with the src MAC address
of the local bridge interface, instead of the MAC address of the intended
destination. This causes some routers/firewalls to drop the reset packet
as it appears to be spoofed. Fix this by bypassing ip[6]_local_out and
setting the MAC of the sender in the tcp reset packet.
This closes netfilter bugzilla #531.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/netfilter/ipt_REJECT.c | 21 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_REJECT.c | 20 |
2 files changed, 39 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 04b18c1ac345..b969131ad1c1 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
@@ -119,7 +119,26 @@ static void send_reset(struct sk_buff *oldskb, int hook) | |||
119 | 119 | ||
120 | nf_ct_attach(nskb, oldskb); | 120 | nf_ct_attach(nskb, oldskb); |
121 | 121 | ||
122 | ip_local_out(nskb); | 122 | #ifdef CONFIG_BRIDGE_NETFILTER |
123 | /* If we use ip_local_out for bridged traffic, the MAC source on | ||
124 | * the RST will be ours, instead of the destination's. This confuses | ||
125 | * some routers/firewalls, and they drop the packet. So we need to | ||
126 | * build the eth header using the original destination's MAC as the | ||
127 | * source, and send the RST packet directly. | ||
128 | */ | ||
129 | if (oldskb->nf_bridge) { | ||
130 | struct ethhdr *oeth = eth_hdr(oldskb); | ||
131 | nskb->dev = oldskb->nf_bridge->physindev; | ||
132 | niph->tot_len = htons(nskb->len); | ||
133 | ip_send_check(niph); | ||
134 | if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), | ||
135 | oeth->h_source, oeth->h_dest, nskb->len) < 0) | ||
136 | goto free_nskb; | ||
137 | dev_queue_xmit(nskb); | ||
138 | } else | ||
139 | #endif | ||
140 | ip_local_out(nskb); | ||
141 | |||
123 | return; | 142 | return; |
124 | 143 | ||
125 | free_nskb: | 144 | free_nskb: |
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 70f9abc0efe9..56eef30ee5f6 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c | |||
@@ -169,7 +169,25 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) | |||
169 | 169 | ||
170 | nf_ct_attach(nskb, oldskb); | 170 | nf_ct_attach(nskb, oldskb); |
171 | 171 | ||
172 | ip6_local_out(nskb); | 172 | #ifdef CONFIG_BRIDGE_NETFILTER |
173 | /* If we use ip6_local_out for bridged traffic, the MAC source on | ||
174 | * the RST will be ours, instead of the destination's. This confuses | ||
175 | * some routers/firewalls, and they drop the packet. So we need to | ||
176 | * build the eth header using the original destination's MAC as the | ||
177 | * source, and send the RST packet directly. | ||
178 | */ | ||
179 | if (oldskb->nf_bridge) { | ||
180 | struct ethhdr *oeth = eth_hdr(oldskb); | ||
181 | nskb->dev = oldskb->nf_bridge->physindev; | ||
182 | nskb->protocol = htons(ETH_P_IPV6); | ||
183 | ip6h->payload_len = htons(sizeof(struct tcphdr)); | ||
184 | if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), | ||
185 | oeth->h_source, oeth->h_dest, nskb->len) < 0) | ||
186 | return; | ||
187 | dev_queue_xmit(nskb); | ||
188 | } else | ||
189 | #endif | ||
190 | ip6_local_out(nskb); | ||
173 | } | 191 | } |
174 | 192 | ||
175 | static inline void | 193 | static inline void |