7fc3822536
Some protocols have other means to verify the payload integrity (AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum implementation because checksum is either optional or might be partial (UDPLITE, DCCP, GRE). Because nf_ip(6)_checksum was used to validate the packets, ip(6)tables REJECT rules were not capable to generate ICMP(v6) errors for the protocols mentioned above. This commit also fixes the incorrect pseudo-header protocol used for IPv4 packets that carry other transport protocols than TCP or UDP (pseudo-header used protocol 0 iso the proper value). Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
24 lines
810 B
C
24 lines
810 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _IPV6_NF_REJECT_H
|
|
#define _IPV6_NF_REJECT_H
|
|
|
|
#include <linux/icmpv6.h>
|
|
#include <net/netfilter/nf_reject.h>
|
|
|
|
void nf_send_unreach6(struct net *net, struct sk_buff *skb_in, unsigned char code,
|
|
unsigned int hooknum);
|
|
|
|
void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook);
|
|
|
|
const struct tcphdr *nf_reject_ip6_tcphdr_get(struct sk_buff *oldskb,
|
|
struct tcphdr *otcph,
|
|
unsigned int *otcplen, int hook);
|
|
struct ipv6hdr *nf_reject_ip6hdr_put(struct sk_buff *nskb,
|
|
const struct sk_buff *oldskb,
|
|
__u8 protocol, int hoplimit);
|
|
void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,
|
|
const struct sk_buff *oldskb,
|
|
const struct tcphdr *oth, unsigned int otcplen);
|
|
|
|
#endif /* _IPV6_NF_REJECT_H */
|