8 files changed, 150 insertions, 27 deletions

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index c8fa62476461..e35b71289156 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -516,7 +516,7 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 
         hlen = iph->ihl * 4;
         mtu = mtu - hlen;       /* Size of data space */
-#ifdef CONFIG_BRIDGE_NETFILTER
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
         if (skb->nf_bridge)
                 mtu -= nf_bridge_mtu_reduction(skb);
 #endif
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 345242a79db6..4c019d5c3f57 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -61,8 +61,13 @@ config NFT_CHAIN_ROUTE_IPV4
           fields such as the source, destination, type of service and
           the packet mark.
 
+config NF_REJECT_IPV4
+        tristate "IPv4 packet rejection"
+        default m if NETFILTER_ADVANCED=n
+
 config NFT_REJECT_IPV4
         depends on NF_TABLES_IPV4
+        select NF_REJECT_IPV4
         default NFT_REJECT
         tristate
 
@@ -208,6 +213,7 @@ config IP_NF_FILTER
 config IP_NF_TARGET_REJECT
         tristate "REJECT target support"
         depends on IP_NF_FILTER
+        select NF_REJECT_IPV4
         default m if NETFILTER_ADVANCED=n
         help
           The REJECT target allows a filtering rule to specify that an ICMP
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 14488cc5fd2c..f4cef5af0969 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -23,6 +23,9 @@ obj-$(CONFIG_NF_DEFRAG_IPV4) += nf_defrag_ipv4.o
 obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o
 obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o
 
+# reject
+obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o
+
 # NAT helpers (nf_conntrack)
 obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
 obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 5b6e0df4ccff..8f48f5517e33 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -20,7 +20,7 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
-#ifdef CONFIG_BRIDGE_NETFILTER
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 #include <linux/netfilter_bridge.h>
 #endif
 
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 76bd1aef257f..7e5ca6f2d0cd 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -50,7 +50,7 @@ static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
                 zone = nf_ct_zone((struct nf_conn *)skb->nfct);
 #endif
 
-#ifdef CONFIG_BRIDGE_NETFILTER
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
         if (skb->nf_bridge &&
             skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
                 return IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone;
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
new file mode 100644
index 000000000000..b023b4eb1a96
--- /dev/null
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -0,0 +1,127 @@
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <net/ip.h>
+#include <net/tcp.h>
+#include <net/route.h>
+#include <net/dst.h>
+#include <linux/netfilter_ipv4.h>
+
+/* Send RST reply */
+void nf_send_reset(struct sk_buff *oldskb, int hook)
+{
+        struct sk_buff *nskb;
+        const struct iphdr *oiph;
+        struct iphdr *niph;
+        const struct tcphdr *oth;
+        struct tcphdr _otcph, *tcph;
+
+        /* IP header checks: fragment. */
+        if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
+                return;
+
+        oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
+                                 sizeof(_otcph), &_otcph);
+        if (oth == NULL)
+                return;
+
+        /* No RST for RST. */
+        if (oth->rst)
+                return;
+
+        if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
+                return;
+
+        /* Check checksum */
+        if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+                return;
+        oiph = ip_hdr(oldskb);
+
+        nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
+                         LL_MAX_HEADER, GFP_ATOMIC);
+        if (!nskb)
+                return;
+
+        skb_reserve(nskb, LL_MAX_HEADER);
+
+        skb_reset_network_header(nskb);
+        niph = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr));
+        niph->version   = 4;
+        niph->ihl       = sizeof(struct iphdr) / 4;
+        niph->tos       = 0;
+        niph->id        = 0;
+        niph->frag_off  = htons(IP_DF);
+        niph->protocol  = IPPROTO_TCP;
+        niph->check     = 0;
+        niph->saddr     = oiph->daddr;
+        niph->daddr     = oiph->saddr;
+
+        skb_reset_transport_header(nskb);
+        tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
+        memset(tcph, 0, sizeof(*tcph));
+        tcph->source    = oth->dest;
+        tcph->dest      = oth->source;
+        tcph->doff      = sizeof(struct tcphdr) / 4;
+
+        if (oth->ack)
+                tcph->seq = oth->ack_seq;
+        else {
+                tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+                                      oldskb->len - ip_hdrlen(oldskb) -
+                                      (oth->doff << 2));
+                tcph->ack = 1;
+        }
+
+        tcph->rst       = 1;
+        tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
+                                    niph->daddr, 0);
+        nskb->ip_summed = CHECKSUM_PARTIAL;
+        nskb->csum_start = (unsigned char *)tcph - nskb->head;
+        nskb->csum_offset = offsetof(struct tcphdr, check);
+
+        /* ip_route_me_harder expects skb->dst to be set */
+        skb_dst_set_noref(nskb, skb_dst(oldskb));
+
+        nskb->protocol = htons(ETH_P_IP);
+        if (ip_route_me_harder(nskb, RTN_UNSPEC))
+                goto free_nskb;
+
+        niph->ttl       = ip4_dst_hoplimit(skb_dst(nskb));
+
+        /* "Never happens" */
+        if (nskb->len > dst_mtu(skb_dst(nskb)))
+                goto free_nskb;
+
+        nf_ct_attach(nskb, oldskb);
+
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+        /* If we use ip_local_out for bridged traffic, the MAC source on
+         * the RST will be ours, instead of the destination's.  This confuses
+         * some routers/firewalls, and they drop the packet.  So we need to
+         * build the eth header using the original destination's MAC as the
+         * source, and send the RST packet directly.
+         */
+        if (oldskb->nf_bridge) {
+                struct ethhdr *oeth = eth_hdr(oldskb);
+                nskb->dev = oldskb->nf_bridge->physindev;
+                niph->tot_len = htons(nskb->len);
+                ip_send_check(niph);
+                if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol),
+                                    oeth->h_source, oeth->h_dest, nskb->len) < 0)
+                        goto free_nskb;
+                dev_queue_xmit(nskb);
+        } else
+#endif
+                ip_local_out(nskb);
+
+        return;
+
+ free_nskb:
+        kfree_skb(nskb);
+}
+EXPORT_SYMBOL_GPL(nf_send_reset);
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
index 6ea1d207b6a5..1c636d6b5b50 100644
--- a/net/ipv4/netfilter/nft_masq_ipv4.c
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -32,33 +32,12 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
         data[NFT_REG_VERDICT].verdict = verdict;
 }
 
-static int nft_masq_ipv4_init(const struct nft_ctx *ctx,
-                              const struct nft_expr *expr,
-                              const struct nlattr * const tb[])
-{
-        int err;
-
-        err = nft_masq_init(ctx, expr, tb);
-        if (err < 0)
-                return err;
-
-        nf_nat_masquerade_ipv4_register_notifier();
-        return 0;
-}
-
-static void nft_masq_ipv4_destroy(const struct nft_ctx *ctx,
-                                  const struct nft_expr *expr)
-{
-        nf_nat_masquerade_ipv4_unregister_notifier();
-}
-
 static struct nft_expr_type nft_masq_ipv4_type;
 static const struct nft_expr_ops nft_masq_ipv4_ops = {
         .type           = &nft_masq_ipv4_type,
         .size           = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
         .eval           = nft_masq_ipv4_eval,
-        .init           = nft_masq_ipv4_init,
-        .destroy        = nft_masq_ipv4_destroy,
+        .init           = nft_masq_init,
         .dump           = nft_masq_dump,
 };
 
@@ -73,12 +52,21 @@ static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
 
 static int __init nft_masq_ipv4_module_init(void)
 {
-        return nft_register_expr(&nft_masq_ipv4_type);
+        int ret;
+
+        ret = nft_register_expr(&nft_masq_ipv4_type);
+        if (ret < 0)
+                return ret;
+
+        nf_nat_masquerade_ipv4_register_notifier();
+
+        return ret;
 }
 
 static void __exit nft_masq_ipv4_module_exit(void)
 {
         nft_unregister_expr(&nft_masq_ipv4_type);
+        nf_nat_masquerade_ipv4_unregister_notifier();
 }
 
 module_init(nft_masq_ipv4_module_init);
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
index e79718a382f2..ed33299c56d1 100644
--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -16,7 +16,6 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables.h>
-#include <net/icmp.h>
 #include <net/netfilter/ipv4/nf_reject.h>
 #include <net/netfilter/nft_reject.h>