On 7/2/19 9:04 PM, Bruce Ashfield wrote: > On Tue, Jul 2, 2019 at 4:54 AM <zhe...@windriver.com> wrote: >> From: He Zhe <zhe...@windriver.com> >> >> The patch has already been applied on the tree. This would trigger >> re-application when features/net/net.scc included. > Nothing should be including net.scc directly from a KERNEL_FEATURES. > It is a patch + config block. > So we won't be reverting this. Whatever is triggering that extra > patching is using the wrong feature > fragment. > > How exactly are you triggering the issue ?
I'm triggering the issue from features/net/team/team.scc which includes net.scc. Zhe > > Bruce > >> This reverts commit b5776165c9d346c30356b9d95debd69588d58323. >> --- >> features/net/net.scc | 1 - >> ...Fix-remainder-of-pseudo-header-protocol-0.patch | 92 >> ---------------------- >> 2 files changed, 93 deletions(-) >> delete mode 100644 >> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> >> diff --git a/features/net/net.scc b/features/net/net.scc >> index 722b320..4a4e0fb 100644 >> --- a/features/net/net.scc >> +++ b/features/net/net.scc >> @@ -1,3 +1,2 @@ >> >> kconf hardware net.cfg >> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> diff --git >> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> deleted file mode 100644 >> index d1fdbf9..0000000 >> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch >> +++ /dev/null >> @@ -1,92 +0,0 @@ >> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001 >> -From: He Zhe <zhe...@windriver.com> >> -Date: Tue, 25 Jun 2019 18:15:50 +0800 >> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0 >> -MIME-Version: 1.0 >> -Content-Type: text/plain; charset=UTF-8 >> -Content-Transfer-Encoding: 8bit >> - >> -Since v5.1-rc1, some types of packets do not get unreachable reply with the >> -following iptables setting. Fox example, >> - >> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT >> -$ ping 127.0.0.1 -c 1 >> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. >> -— 127.0.0.1 ping statistics — >> -1 packets transmitted, 0 received, 100% packet loss, time 0ms >> - >> -We should have got the following reply from command line, but we did not. >> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable >> - >> -Yi Zhao reported it and narrowed it down to: >> -7fc38225363d ("netfilter: reject: skip csum verification for protocols that >> don't support it"), >> - >> -This is because nf_ip_checksum still expects pseudo-header protocol type 0 >> for >> -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly >> -treated as TCP/UDP. >> - >> -This patch corrects the conditions in nf_ip_checksum and all other places >> that >> -still call it with protocol 0. >> - >> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for >> protocols that don't support it") >> -Reported-by: Yi Zhao <yi.z...@windriver.com> >> -Signed-off-by: He Zhe <zhe...@windriver.com> >> -Signed-off-by: Bruce Ashfield <bruce.ashfi...@gmail.com> >> ---- >> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +- >> - net/netfilter/nf_nat_proto.c | 2 +- >> - net/netfilter/utils.c | 5 +++-- >> - 3 files changed, 5 insertions(+), 4 deletions(-) >> - >> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c >> b/net/netfilter/nf_conntrack_proto_icmp.c >> -index a824367ed518..dd53e2b20f6b 100644 >> ---- a/net/netfilter/nf_conntrack_proto_icmp.c >> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c >> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, >> - /* See ip_conntrack_proto_tcp.c */ >> - if (state->net->ct.sysctl_checksum && >> - state->hook == NF_INET_PRE_ROUTING && >> -- nf_ip_checksum(skb, state->hook, dataoff, 0)) { >> -+ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { >> - icmp_error_log(skb, state, "bad hw icmp checksum"); >> - return -NF_ACCEPT; >> - } >> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c >> -index 07da07788f6b..83a24cc5753b 100644 >> ---- a/net/netfilter/nf_nat_proto.c >> -+++ b/net/netfilter/nf_nat_proto.c >> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, >> - >> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) >> - return 0; >> -- if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) >> -+ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) >> - return 0; >> - >> - inside = (void *)skb->data + hdrlen; >> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c >> -index 06dc55590441..51b454d8fa9c 100644 >> ---- a/net/netfilter/utils.c >> -+++ b/net/netfilter/utils.c >> -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int >> hook, >> - case CHECKSUM_COMPLETE: >> - if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) >> - break; >> -- if ((protocol == 0 && !csum_fold(skb->csum)) || >> -+ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && >> -+ !csum_fold(skb->csum)) || >> - !csum_tcpudp_magic(iph->saddr, iph->daddr, >> - skb->len - dataoff, protocol, >> - skb->csum)) { >> -@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int >> hook, >> - } >> - /* fall through */ >> - case CHECKSUM_NONE: >> -- if (protocol == 0) >> -+ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) >> - skb->csum = 0; >> - else >> - skb->csum = csum_tcpudp_nofold(iph->saddr, >> iph->daddr, >> --- >> -2.19.1 >> - >> -- >> 2.7.4 >> > > -- > - Thou shalt not follow the NULL pointer, for chaos and madness await > thee at its end > - "Use the force Harry" - Gandalf, Star Trek II > -- _______________________________________________ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto