On 7/2/19 9:04 PM, Bruce Ashfield wrote:
> On Tue, Jul 2, 2019 at 4:54 AM <zhe...@windriver.com> wrote:
>> From: He Zhe <zhe...@windriver.com>
>>
>> The patch has already been applied on the tree. This would trigger
>> re-application when features/net/net.scc included.
> Nothing should be including net.scc directly from a KERNEL_FEATURES.
> It is a patch + config block.
> So we won't be reverting this. Whatever is triggering that extra
> patching is using the wrong feature
> fragment.
>
> How exactly are you triggering the issue ?
I'm triggering the issue from features/net/team/team.scc which includes net.scc.
Zhe
>
> Bruce
>
>> This reverts commit b5776165c9d346c30356b9d95debd69588d58323.
>> ---
>> features/net/net.scc | 1 -
>> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92
>> ----------------------
>> 2 files changed, 93 deletions(-)
>> delete mode 100644
>> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>>
>> diff --git a/features/net/net.scc b/features/net/net.scc
>> index 722b320..4a4e0fb 100644
>> --- a/features/net/net.scc
>> +++ b/features/net/net.scc
>> @@ -1,3 +1,2 @@
>>
>> kconf hardware net.cfg
>> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> diff --git
>> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> deleted file mode 100644
>> index d1fdbf9..0000000
>> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
>> +++ /dev/null
>> @@ -1,92 +0,0 @@
>> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
>> -From: He Zhe <zhe...@windriver.com>
>> -Date: Tue, 25 Jun 2019 18:15:50 +0800
>> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=UTF-8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -Since v5.1-rc1, some types of packets do not get unreachable reply with the
>> -following iptables setting. Fox example,
>> -
>> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
>> -$ ping 127.0.0.1 -c 1
>> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
>> -— 127.0.0.1 ping statistics —
>> -1 packets transmitted, 0 received, 100% packet loss, time 0ms
>> -
>> -We should have got the following reply from command line, but we did not.
>> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
>> -
>> -Yi Zhao reported it and narrowed it down to:
>> -7fc38225363d ("netfilter: reject: skip csum verification for protocols that
>> don't support it"),
>> -
>> -This is because nf_ip_checksum still expects pseudo-header protocol type 0
>> for
>> -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
>> -treated as TCP/UDP.
>> -
>> -This patch corrects the conditions in nf_ip_checksum and all other places
>> that
>> -still call it with protocol 0.
>> -
>> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for
>> protocols that don't support it")
>> -Reported-by: Yi Zhao <yi.z...@windriver.com>
>> -Signed-off-by: He Zhe <zhe...@windriver.com>
>> -Signed-off-by: Bruce Ashfield <bruce.ashfi...@gmail.com>
>> ----
>> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
>> - net/netfilter/nf_nat_proto.c | 2 +-
>> - net/netfilter/utils.c | 5 +++--
>> - 3 files changed, 5 insertions(+), 4 deletions(-)
>> -
>> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c
>> b/net/netfilter/nf_conntrack_proto_icmp.c
>> -index a824367ed518..dd53e2b20f6b 100644
>> ---- a/net/netfilter/nf_conntrack_proto_icmp.c
>> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c
>> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
>> - /* See ip_conntrack_proto_tcp.c */
>> - if (state->net->ct.sysctl_checksum &&
>> - state->hook == NF_INET_PRE_ROUTING &&
>> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
>> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
>> - icmp_error_log(skb, state, "bad hw icmp checksum");
>> - return -NF_ACCEPT;
>> - }
>> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
>> -index 07da07788f6b..83a24cc5753b 100644
>> ---- a/net/netfilter/nf_nat_proto.c
>> -+++ b/net/netfilter/nf_nat_proto.c
>> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
>> -
>> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
>> - return 0;
>> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
>> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
>> - return 0;
>> -
>> - inside = (void *)skb->data + hdrlen;
>> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
>> -index 06dc55590441..51b454d8fa9c 100644
>> ---- a/net/netfilter/utils.c
>> -+++ b/net/netfilter/utils.c
>> -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
>> hook,
>> - case CHECKSUM_COMPLETE:
>> - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
>> - break;
>> -- if ((protocol == 0 && !csum_fold(skb->csum)) ||
>> -+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
>> -+ !csum_fold(skb->csum)) ||
>> - !csum_tcpudp_magic(iph->saddr, iph->daddr,
>> - skb->len - dataoff, protocol,
>> - skb->csum)) {
>> -@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int
>> hook,
>> - }
>> - /* fall through */
>> - case CHECKSUM_NONE:
>> -- if (protocol == 0)
>> -+ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
>> - skb->csum = 0;
>> - else
>> - skb->csum = csum_tcpudp_nofold(iph->saddr,
>> iph->daddr,
>> ---
>> -2.19.1
>> -
>> --
>> 2.7.4
>>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
--
_______________________________________________
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
