Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | netfilter: conntrack: skip verification of zero UDP checksum | Kevin Mitchell | 2022-05-13 | 1 | -4/+17 |
| | | | | | | | | | | | | The checksum is optional for UDP packets. However nf_reject would previously require a valid checksum to elicit a response such as ICMP_DEST_UNREACH. Add some logic to nf_reject_verify_csum to determine if a UDP packet has a zero checksum and should therefore not be verified. Signed-off-by: Kevin Mitchell <kevmitch@arista.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
* | netfilter: add missing includes to a number of header-files. | Jeremy Sowden | 2019-08-13 | 1 | -0/+3 |
| | | | | | | | | | A number of netfilter header-files used declarations and definitions from other headers without including them. Added include directives to make those declarations and definitions available. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
* | netfilter: reject: skip csum verification for protocols that don't support it | Alin Nastac | 2019-02-13 | 1 | -0/+27 |
Some protocols have other means to verify the payload integrity (AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum implementation because checksum is either optional or might be partial (UDPLITE, DCCP, GRE). Because nf_ip(6)_checksum was used to validate the packets, ip(6)tables REJECT rules were not capable to generate ICMP(v6) errors for the protocols mentioned above. This commit also fixes the incorrect pseudo-header protocol used for IPv4 packets that carry other transport protocols than TCP or UDP (pseudo-header used protocol 0 iso the proper value). Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |