projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1a86920)
netfilter: ip6t_REJECT: skip checksum verification for outgoing ipv6 packets
authorStanislav Fomichev <stfomichev@yandex-team.ru>
Tue, 22 Oct 2013 12:43:23 +0000 (16:43 +0400)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 23 Oct 2013 09:20:00 +0000 (11:20 +0200)
Don't verify checksum for outgoing packets because checksum calculation
may be done by the device.

Without this patch:
$ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
$ time telnet ipv6.google.com 80
Trying 2a00:1450:4010:c03::67...
telnet: Unable to connect to remote host: Connection timed out

real    0m7.201s
user    0m0.000s
sys     0m0.000s

With the patch applied:
$ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
$ time telnet ipv6.google.com 80
Trying 2a00:1450:4010:c03::67...
telnet: Unable to connect to remote host: Connection refused

real    0m0.085s
user    0m0.000s
sys     0m0.000s

Signed-off-by: Stanislav Fomichev <stfomichev@yandex-team.ru>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/ipv6/netfilter/ip6t_REJECT.c patch | blob | blame | history

diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 56eef30ee5f6afb2ad1338649b30ffe8a5c5b948..da00a2ecde559431993f2e08ca29bc06a226155c 100644 (file)
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -39,7 +39,7 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
 MODULE_LICENSE("GPL");
 
 /* Send RST reply */
-static void send_reset(struct net *net, struct sk_buff *oldskb)
+static void send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 {
        struct sk_buff *nskb;
        struct tcphdr otcph, *tcph;
@@ -88,8 +88,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        }
 
        /* Check checksum. */
-       if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
-                           skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+       if (nf_ip6_checksum(oldskb, hook, tcphoff, IPPROTO_TCP)) {
                pr_debug("TCP checksum is invalid\n");
                return;
        }
@@ -227,7 +226,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
                /* Do nothing */
                break;
        case IP6T_TCP_RESET:
-               send_reset(net, skb);
+               send_reset(net, skb, par->hooknum);
                break;
        default:
                net_info_ratelimited("case %u not handled yet\n", reject->with);