| Message ID | 20131022124323.GB3255@stfomichev-desktop |
|---|---|
| State | Accepted |
| Headers | show |
On Tue, Oct 22, 2013 at 04:43:23PM +0400, Stanislav Fomichev wrote: > Don't verify checksum for outgoing packets because checksum calculation > may be done by the device. > > Without this patch: > $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset > $ time telnet ipv6.google.com 80 > Trying 2a00:1450:4010:c03::67... > telnet: Unable to connect to remote host: Connection timed out > > real 0m7.201s > user 0m0.000s > sys 0m0.000s > > With the patch applied: > $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset > $ time telnet ipv6.google.com 80 > Trying 2a00:1450:4010:c03::67... > telnet: Unable to connect to remote host: Connection refused > > real 0m0.085s > user 0m0.000s > sys 0m0.000s Applied to nf-next, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 70f9abc0efe9..0bf81ef80c90 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c @@ -39,7 +39,7 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6"); MODULE_LICENSE("GPL"); /* Send RST reply */ -static void send_reset(struct net *net, struct sk_buff *oldskb) +static void send_reset(struct net *net, struct sk_buff *oldskb, int hook) { struct sk_buff *nskb; struct tcphdr otcph, *tcph; @@ -88,8 +88,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) } /* Check checksum. */ - if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP, - skb_checksum(oldskb, tcphoff, otcplen, 0))) { + if (nf_ip6_checksum(oldskb, hook, tcphoff, IPPROTO_TCP)) { pr_debug("TCP checksum is invalid\n"); return; } @@ -209,7 +208,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_action_param *par) /* Do nothing */ break; case IP6T_TCP_RESET: - send_reset(net, skb); + send_reset(net, skb, par->hooknum); break; default: net_info_ratelimited("case %u not handled yet\n", reject->with);
Don't verify checksum for outgoing packets because checksum calculation may be done by the device. Without this patch: $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset $ time telnet ipv6.google.com 80 Trying 2a00:1450:4010:c03::67... telnet: Unable to connect to remote host: Connection timed out real 0m7.201s user 0m0.000s sys 0m0.000s With the patch applied: $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset $ time telnet ipv6.google.com 80 Trying 2a00:1450:4010:c03::67... telnet: Unable to connect to remote host: Connection refused real 0m0.085s user 0m0.000s sys 0m0.000s Signed-off-by: Stanislav Fomichev <stfomichev@yandex-team.ru> --- net/ipv6/netfilter/ip6t_REJECT.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)