diff options
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_icmp.c | 23 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 7 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_udp.c | 7 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_REJECT.c | 9 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 20 |
5 files changed, 13 insertions, 53 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c index 3021af0910f1..d8b14a9010a6 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c | |||
| @@ -224,25 +224,14 @@ icmp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | |||
| 224 | } | 224 | } |
| 225 | 225 | ||
| 226 | /* See ip_conntrack_proto_tcp.c */ | 226 | /* See ip_conntrack_proto_tcp.c */ |
| 227 | if (hooknum != NF_IP_PRE_ROUTING) | 227 | if (hooknum == NF_IP_PRE_ROUTING && |
| 228 | goto checksum_skipped; | 228 | nf_ip_checksum(skb, hooknum, skb->nh.iph->ihl * 4, 0)) { |
| 229 | 229 | if (LOG_INVALID(IPPROTO_ICMP)) | |
| 230 | switch (skb->ip_summed) { | 230 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 231 | case CHECKSUM_HW: | 231 | "ip_ct_icmp: bad ICMP checksum "); |
| 232 | if (!(u16)csum_fold(skb->csum)) | 232 | return -NF_ACCEPT; |
| 233 | break; | ||
| 234 | /* fall through */ | ||
| 235 | case CHECKSUM_NONE: | ||
| 236 | skb->csum = 0; | ||
| 237 | if (__skb_checksum_complete(skb)) { | ||
| 238 | if (LOG_INVALID(IPPROTO_ICMP)) | ||
| 239 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, | ||
| 240 | "ip_ct_icmp: bad ICMP checksum "); | ||
| 241 | return -NF_ACCEPT; | ||
| 242 | } | ||
| 243 | } | 233 | } |
| 244 | 234 | ||
| 245 | checksum_skipped: | ||
| 246 | /* | 235 | /* |
| 247 | * 18 is the highest 'known' ICMP type. Anything else is a mystery | 236 | * 18 is the highest 'known' ICMP type. Anything else is a mystery |
| 248 | * | 237 | * |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index e0dc37063545..062b252b58ad 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c | |||
| @@ -870,11 +870,8 @@ static int tcp_error(struct sk_buff *skb, | |||
| 870 | * and moreover root might send raw packets. | 870 | * and moreover root might send raw packets. |
| 871 | */ | 871 | */ |
| 872 | /* FIXME: Source route IP option packets --RR */ | 872 | /* FIXME: Source route IP option packets --RR */ |
| 873 | if (hooknum == NF_IP_PRE_ROUTING | 873 | if (hooknum == NF_IP_PRE_ROUTING && |
| 874 | && skb->ip_summed != CHECKSUM_UNNECESSARY | 874 | nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_TCP)) { |
| 875 | && csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP, | ||
| 876 | skb->ip_summed == CHECKSUM_HW ? skb->csum | ||
| 877 | : skb_checksum(skb, iph->ihl*4, tcplen, 0))) { | ||
| 878 | if (LOG_INVALID(IPPROTO_TCP)) | 875 | if (LOG_INVALID(IPPROTO_TCP)) |
| 879 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, | 876 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 880 | "ip_ct_tcp: bad TCP checksum "); | 877 | "ip_ct_tcp: bad TCP checksum "); |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c index 55b7d3210adf..70899868783b 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c | |||
| @@ -120,11 +120,8 @@ static int udp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | |||
| 120 | * because the semantic of CHECKSUM_HW is different there | 120 | * because the semantic of CHECKSUM_HW is different there |
| 121 | * and moreover root might send raw packets. | 121 | * and moreover root might send raw packets. |
| 122 | * FIXME: Source route IP option packets --RR */ | 122 | * FIXME: Source route IP option packets --RR */ |
| 123 | if (hooknum == NF_IP_PRE_ROUTING | 123 | if (hooknum == NF_IP_PRE_ROUTING && |
| 124 | && skb->ip_summed != CHECKSUM_UNNECESSARY | 124 | nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_UDP)) { |
| 125 | && csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP, | ||
| 126 | skb->ip_summed == CHECKSUM_HW ? skb->csum | ||
| 127 | : skb_checksum(skb, iph->ihl*4, udplen, 0))) { | ||
| 128 | if (LOG_INVALID(IPPROTO_UDP)) | 125 | if (LOG_INVALID(IPPROTO_UDP)) |
| 129 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, | 126 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 130 | "ip_ct_udp: bad UDP checksum "); | 127 | "ip_ct_udp: bad UDP checksum "); |
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 4269a5440d43..0bba3c2bb786 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
| @@ -106,7 +106,6 @@ static void send_reset(struct sk_buff *oldskb, int hook) | |||
| 106 | struct rtable *rt; | 106 | struct rtable *rt; |
| 107 | u_int16_t tmp_port; | 107 | u_int16_t tmp_port; |
| 108 | u_int32_t tmp_addr; | 108 | u_int32_t tmp_addr; |
| 109 | unsigned int tcplen; | ||
| 110 | int needs_ack; | 109 | int needs_ack; |
| 111 | int hh_len; | 110 | int hh_len; |
| 112 | 111 | ||
| @@ -124,13 +123,7 @@ static void send_reset(struct sk_buff *oldskb, int hook) | |||
| 124 | return; | 123 | return; |
| 125 | 124 | ||
| 126 | /* Check checksum */ | 125 | /* Check checksum */ |
| 127 | tcplen = oldskb->len - iph->ihl * 4; | 126 | if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP)) |
| 128 | if (((hook != NF_IP_LOCAL_IN && oldskb->ip_summed != CHECKSUM_HW) || | ||
| 129 | (hook == NF_IP_LOCAL_IN && | ||
| 130 | oldskb->ip_summed != CHECKSUM_UNNECESSARY)) && | ||
| 131 | csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP, | ||
| 132 | oldskb->ip_summed == CHECKSUM_HW ? oldskb->csum : | ||
| 133 | skb_checksum(oldskb, iph->ihl * 4, tcplen, 0))) | ||
| 134 | return; | 127 | return; |
| 135 | 128 | ||
| 136 | if ((rt = route_reverse(oldskb, oth, hook)) == NULL) | 129 | if ((rt = route_reverse(oldskb, oth, hook)) == NULL) |
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 52dc175be39a..4b0d361cc6e6 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
| @@ -235,30 +235,14 @@ icmp_error(struct sk_buff *skb, unsigned int dataoff, | |||
| 235 | } | 235 | } |
| 236 | 236 | ||
| 237 | /* See ip_conntrack_proto_tcp.c */ | 237 | /* See ip_conntrack_proto_tcp.c */ |
| 238 | if (hooknum != NF_IP_PRE_ROUTING) | 238 | if (hooknum == NF_IP_PRE_ROUTING && |
| 239 | goto checksum_skipped; | 239 | nf_ip_checksum(skb, hooknum, dataoff, 0)) { |
| 240 | |||
| 241 | switch (skb->ip_summed) { | ||
| 242 | case CHECKSUM_HW: | ||
| 243 | if (!(u16)csum_fold(skb->csum)) | ||
| 244 | break; | ||
| 245 | if (LOG_INVALID(IPPROTO_ICMP)) | 240 | if (LOG_INVALID(IPPROTO_ICMP)) |
| 246 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, | 241 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 247 | "nf_ct_icmp: bad HW ICMP checksum "); | 242 | "nf_ct_icmp: bad HW ICMP checksum "); |
| 248 | return -NF_ACCEPT; | 243 | return -NF_ACCEPT; |
| 249 | case CHECKSUM_NONE: | ||
| 250 | if ((u16)csum_fold(skb_checksum(skb, 0, skb->len, 0))) { | ||
| 251 | if (LOG_INVALID(IPPROTO_ICMP)) | ||
| 252 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | ||
| 253 | NULL, | ||
| 254 | "nf_ct_icmp: bad ICMP checksum "); | ||
| 255 | return -NF_ACCEPT; | ||
| 256 | } | ||
| 257 | default: | ||
| 258 | break; | ||
| 259 | } | 244 | } |
| 260 | 245 | ||
| 261 | checksum_skipped: | ||
| 262 | /* | 246 | /* |
| 263 | * 18 is the highest 'known' ICMP type. Anything else is a mystery | 247 | * 18 is the highest 'known' ICMP type. Anything else is a mystery |
| 264 | * | 248 | * |