archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 02:24:32 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/ipv6/netfilter
History
Exact
Florian Westphal db99b2f2b3 netfilter: nf_reject: don't reply to icmp error messages 
tcp reject code won't reply to a tcp reset.

But the icmp reject 'netdev' family versions will reply to icmp
dst-unreach errors, unlike icmp_send() and icmp6_send() which are used
by the inet family implementation (and internally by the REJECT target).

Check for the icmp(6) type and do not respond if its an unreachable error.

Without this, something like 'ip protocol icmp reject', when used
in a netdev chain attached to 'lo', cause a packet loop.

Same for two hosts that both use such a rule: each error packet
will be replied to.

Such situation persist until the (bogus) rule is amended to ratelimit or
checks the icmp type before the reject statement.

As the inet versions don't do this make the netdev ones follow along.

Signed-off-by: Florian Westphal <fw@strlen.de>
2025-09-11 15:40:55 +02:00
..
ip6_tables.c netfilter: nf_dup{4, 6}: Move duplication check to task_struct 2025-05-23 13:57:12 +02:00
ip6t_ah.c netfilter: ip6tables: Remove redundant null checks 2020-07-29 20:39:43 +02:00
ip6t_eui64.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ip6t_frag.c netfilter: ip6tables: Remove redundant null checks 2020-07-29 20:39:43 +02:00
ip6t_hbh.c netfilter: ip6tables: Remove redundant null checks 2020-07-29 20:39:43 +02:00
ip6t_ipv6header.c netfilter: move inline nf_ip6_ext_hdr() function to a more appropriate header. 2019-09-13 12:34:09 +02:00
ip6t_mh.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ip6t_NPT.c netfilter: ip6t_NPT: rewrite addresses in ICMPv6 original packet 2020-08-28 19:18:48 +02:00
ip6t_REJECT.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
ip6t_rpfilter.c netfilter: ip6t_rpfilter: Fix regression with VRF interfaces 2023-02-22 00:22:20 +01:00
ip6t_rt.c netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6 2021-10-14 23:08:35 +02:00
ip6t_srh.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6t_SYNPROXY.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
ip6table_filter.c netfilter: use NF_DROP instead of -NF_DROP 2024-05-06 16:29:21 +02:00
ip6table_mangle.c netfilter: xt_mangle: only check verdict part of return value 2023-10-18 10:26:43 +02:00
ip6table_nat.c netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). 2024-07-31 23:21:34 +02:00
ip6table_raw.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
ip6table_security.c netfilter: ip6tables: allow use of ip6t_do_table as hookfn 2021-10-14 23:06:53 +02:00
Kconfig netfilter: add back NETFILTER_XTABLES dependencies 2025-08-07 13:19:25 +02:00
Makefile netfilter: xtables: allow xtables-nft only builds 2024-01-29 15:43:21 +01:00
nf_conntrack_reasm.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nf_defrag_ipv6_hooks.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nf_dup_ipv6.c ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
nf_reject_ipv6.c netfilter: nf_reject: don't reply to icmp error messages 2025-09-11 15:40:55 +02:00
nf_socket_ipv6.c tcp: Don't pass hashinfo to socket lookup helpers. 2025-08-25 17:53:35 -07:00
nf_tproxy_ipv6.c tcp: Don't pass hashinfo to socket lookup helpers. 2025-08-25 17:53:35 -07:00
nft_dup_ipv6.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_fib_ipv6.c netfilter: nf_tables: nft_fib: consistent l3mdev handling 2025-05-23 13:57:09 +02:00
nft_reject_ipv6.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00