affe759dba
As reported by Casper Gripenberg, in a bridged setup, using ip[6]t_REJECT with the tcp-reset option sends out reset packets with the src MAC address of the local bridge interface, instead of the MAC address of the intended destination. This causes some routers/firewalls to drop the reset packet as it appears to be spoofed. Fix this by bypassing ip[6]_local_out and setting the MAC of the sender in the tcp reset packet. This closes netfilter bugzilla #531. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
---|---|---|
.. | ||
ip6_tables.c | ||
ip6t_ah.c | ||
ip6t_eui64.c | ||
ip6t_frag.c | ||
ip6t_hbh.c | ||
ip6t_ipv6header.c | ||
ip6t_MASQUERADE.c | ||
ip6t_mh.c | ||
ip6t_NPT.c | ||
ip6t_REJECT.c | ||
ip6t_rpfilter.c | ||
ip6t_rt.c | ||
ip6table_filter.c | ||
ip6table_mangle.c | ||
ip6table_nat.c | ||
ip6table_raw.c | ||
ip6table_security.c | ||
Kconfig | ||
Makefile | ||
nf_conntrack_l3proto_ipv6.c | ||
nf_conntrack_proto_icmpv6.c | ||
nf_conntrack_reasm.c | ||
nf_defrag_ipv6_hooks.c | ||
nf_nat_l3proto_ipv6.c | ||
nf_nat_proto_icmpv6.c |