mirror of https://github.com/torvalds/linux.git
db99b2f2b3
tcp reject code won't reply to a tcp reset. But the icmp reject 'netdev' family versions will reply to icmp dst-unreach errors, unlike icmp_send() and icmp6_send() which are used by the inet family implementation (and internally by the REJECT target). Check for the icmp(6) type and do not respond if its an unreachable error. Without this, something like 'ip protocol icmp reject', when used in a netdev chain attached to 'lo', cause a packet loop. Same for two hosts that both use such a rule: each error packet will be replied to. Such situation persist until the (bogus) rule is amended to ratelimit or checks the icmp type before the reject statement. As the inet versions don't do this make the netdev ones follow along. Signed-off-by: Florian Westphal <fw@strlen.de> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| arp_tables.c | ||
| arpt_mangle.c | ||
| arptable_filter.c | ||
| ip_tables.c | ||
| ipt_ECN.c | ||
| ipt_REJECT.c | ||
| ipt_SYNPROXY.c | ||
| ipt_ah.c | ||
| ipt_rpfilter.c | ||
| iptable_filter.c | ||
| iptable_mangle.c | ||
| iptable_nat.c | ||
| iptable_raw.c | ||
| iptable_security.c | ||
| nf_defrag_ipv4.c | ||
| nf_dup_ipv4.c | ||
| nf_nat_h323.c | ||
| nf_nat_pptp.c | ||
| nf_nat_snmp_basic.asn1 | ||
| nf_nat_snmp_basic_main.c | ||
| nf_reject_ipv4.c | ||
| nf_socket_ipv4.c | ||
| nf_tproxy_ipv4.c | ||
| nft_dup_ipv4.c | ||
| nft_fib_ipv4.c | ||
| nft_reject_ipv4.c | ||