[PATCH 1/18] netfilter: ipt_REJECT Target nonlinear fixes

[PATCH 1/18] netfilter: ipt_REJECT Target nonlinear fixes

[Rusty Russell]

[ Dave is away, but I want these to get a reasonable amount of testing
before 2.6.11, so sent straight to Linus ]

Name: ipt_REJECT Target nonlinear fixes
Status: Tested under valgrind
Signed-off-by: Rusty Russell

nfsim now generates non-linear packets: when run under valgrind it
finds linear assumptions very nicely.  This is the second thing I
tried, and it found a real bug.

In this case, checking the UDP checksum is correct, but overkill, and
like the ICMP header handling, does not handle non-linear packets.  Remove UDP
checksum, fix ICMP error.

Index: linux-2.6.10-bk1-Netfilter/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.10-bk1-Netfilter.orig/net/ipv4/netfilter/ipt_REJECT.c	2005-01-04 14:55:59.721943664 +1100
+++ linux-2.6.10-bk1-Netfilter/net/ipv4/netfilter/ipt_REJECT.c	2005-01-04 14:56:44.538130568 +1100
@@ -223,7 +223,6 @@
 static void send_unreach(struct sk_buff *skb_in, int code)
 {
 	struct iphdr *iph;
-	struct udphdr *udph;
 	struct icmphdr *icmph;
 	struct sk_buff *nskb;
 	u32 saddr;
@@ -257,26 +256,13 @@
 	if (skb_in->len < skb_in->nh.iph->ihl*4 + 8)
 		return;
 
-	/* if UDP checksum is set, verify it's correct */
-	if (iph->protocol == IPPROTO_UDP
-	    && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) {
-		int datalen = skb_in->len - (iph->ihl<<2);
-		udph = (struct udphdr *)((char *)iph + (iph->ihl<<2));
-		if (udph->check
-		    && csum_tcpudp_magic(iph->saddr, iph->daddr,
-		                         datalen, IPPROTO_UDP,
-		                         csum_partial((char *)udph, datalen,
-		                                      0)) != 0)
-			return;
-	}
-
 	/* If we send an ICMP error to an ICMP error a mess would result.. */
-	if (iph->protocol == IPPROTO_ICMP
-	    && skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) {
-		icmph = (struct icmphdr *)((char *)iph + (iph->ihl<<2));
+	if (iph->protocol == IPPROTO_ICMP) {
+		struct icmphdr ihdr;
 
-		if (skb_copy_bits(skb_in, skb_in->nh.iph->ihl*4,
-				  icmph, sizeof(*icmph)) < 0)
+		icmph = skb_header_pointer(skb_in, skb_in->nh.iph->ihl*4,
+					   sizeof(ihdr), &ihdr);
+		if (!icmph)
 			return;
 
 		/* Between echo-reply (0) and timestamp (13),

-- 
A bad analogy is like a leaky screwdriver -- Richard Braakman

Missing "ip6t_REJECT.h"

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1376 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I'm using the kernel 2.6.10 and I'm missing the "ip6t_REJECT.h" header file.
It's gone since 2.6.9:

- --- a/include/linux/netfilter_ipv6/ip6t_REJECT.h 2004-10-18 14:55:53 -07:00
+++ /dev/null Wed Dec 31 16:00:00 196900

(From: http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fpatch-2.6.9.bz2;z=3839)

I tried to add the target from the latest patch-o-matic, but it failed (because the header file is not there).
Is the target broken (only under 2.6.x) ??

Please update the "info" or "help" file, if so...

With regards
~ Sven

- --
~ Sven Anders <anders@anduras.de>                 () Ascii Ribbon Campaign
~                                                 /\ Support plain text e-mail
~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Thomas Träger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCE2T75lKZ7Feg4EcRAhh8AKCkPvsYqSAnhXFcG+sBnj2JyYBtswCfcw/A
rNAsbGa+fvVdK1HtMABq3CM=
=bBV8
-----END PGP SIGNATURE-----