netfilter: ip6t_REJECT: skip checksum verification for outgoing ipv6 packets
Don't verify checksum for outgoing packets because checksum calculation may be done by the device. Without this patch: $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset $ time telnet ipv6.google.com 80 Trying 2a00:1450:4010:c03::67... telnet: Unable to connect to remote host: Connection timed out real 0m7.201s user 0m0.000s sys 0m0.000s With the patch applied: $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset $ time telnet ipv6.google.com 80 Trying 2a00:1450:4010:c03::67... telnet: Unable to connect to remote host: Connection refused real 0m0.085s user 0m0.000s sys 0m0.000s Signed-off-by: Stanislav Fomichev <stfomichev@yandex-team.ru> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
1a869205c7
commit
f2020b27be
|
@ -39,7 +39,7 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
|
||||||
MODULE_LICENSE("GPL");
|
MODULE_LICENSE("GPL");
|
||||||
|
|
||||||
/* Send RST reply */
|
/* Send RST reply */
|
||||||
static void send_reset(struct net *net, struct sk_buff *oldskb)
|
static void send_reset(struct net *net, struct sk_buff *oldskb, int hook)
|
||||||
{
|
{
|
||||||
struct sk_buff *nskb;
|
struct sk_buff *nskb;
|
||||||
struct tcphdr otcph, *tcph;
|
struct tcphdr otcph, *tcph;
|
||||||
|
@ -88,8 +88,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check checksum. */
|
/* Check checksum. */
|
||||||
if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
|
if (nf_ip6_checksum(oldskb, hook, tcphoff, IPPROTO_TCP)) {
|
||||||
skb_checksum(oldskb, tcphoff, otcplen, 0))) {
|
|
||||||
pr_debug("TCP checksum is invalid\n");
|
pr_debug("TCP checksum is invalid\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -227,7 +226,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
/* Do nothing */
|
/* Do nothing */
|
||||||
break;
|
break;
|
||||||
case IP6T_TCP_RESET:
|
case IP6T_TCP_RESET:
|
||||||
send_reset(net, skb);
|
send_reset(net, skb, par->hooknum);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
net_info_ratelimited("case %u not handled yet\n", reject->with);
|
net_info_ratelimited("case %u not handled yet\n", reject->with);
|
||||||
|
|
Loading…
Reference in New Issue