summaryrefslogtreecommitdiff
path: root/fs/filesystems.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2014-10-25 20:40:26 +0400
committerPablo Neira Ayuso <pablo@netfilter.org>2014-10-31 14:50:08 +0300
commit523b929d5446c023e1219aa81455a8c766cac883 (patch)
tree3ecc2b3ae4776fdf86c8d7c4322a8297b814754b /fs/filesystems.c
parent8bfcdf6671b1c8006c52c3eaf9fd1b5dfcf41c3d (diff)
downloadlinux-523b929d5446c023e1219aa81455a8c766cac883.tar.xz
netfilter: nft_reject_bridge: don't use IP stack to reject traffic
If the packet is received via the bridge stack, this cannot reject packets from the IP stack. This adds functions to build the reject packet and send it from the bridge stack. Comments and assumptions on this patch: 1) Validate the IPv4 and IPv6 headers before further processing, given that the packet comes from the bridge stack, we cannot assume they are clean. Truncated packets are dropped, we follow similar approach in the existing iptables match/target extensions that need to inspect layer 4 headers that is not available. This also includes packets that are directed to multicast and broadcast ethernet addresses. 2) br_deliver() is exported to inject the reject packet via bridge localout -> postrouting. So the approach is similar to what we already do in the iptables reject target. The reject packet is sent to the bridge port from which we have received the original packet. 3) The reject packet is forged based on the original packet. The TTL is set based on sysctl_ip_default_ttl for IPv4 and per-net ipv6.devconf_all hoplimit for IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'fs/filesystems.c')
0 files changed, 0 insertions, 0 deletions