linux/net
Pablo Neira Ayuso 523b929d54 netfilter: nft_reject_bridge: don't use IP stack to reject traffic
If the packet is received via the bridge stack, this cannot reject
packets from the IP stack.

This adds functions to build the reject packet and send it from the
bridge stack. Comments and assumptions on this patch:

1) Validate the IPv4 and IPv6 headers before further processing,
   given that the packet comes from the bridge stack, we cannot assume
   they are clean. Truncated packets are dropped, we follow similar
   approach in the existing iptables match/target extensions that need
   to inspect layer 4 headers that is not available. This also includes
   packets that are directed to multicast and broadcast ethernet
   addresses.

2) br_deliver() is exported to inject the reject packet via
   bridge localout -> postrouting. So the approach is similar to what
   we already do in the iptables reject target. The reject packet is
   sent to the bridge port from which we have received the original
   packet.

3) The reject packet is forged based on the original packet. The TTL
   is set based on sysctl_ip_default_ttl for IPv4 and per-net
   ipv6.devconf_all hoplimit for IPv6.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-10-31 12:50:08 +01:00
..
6lowpan
9p 9p/trans_virtio: enable VQs early 2014-10-15 10:25:04 +10:30
802
8021q net: better IFF_XMIT_DST_RELEASE support 2014-10-07 13:22:11 -04:00
appletalk
atm net: better IFF_XMIT_DST_RELEASE support 2014-10-07 13:22:11 -04:00
ax25
batman-adv batman-adv: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
bluetooth Bluetooth: 6lowpan: Check transmit errors for multicast packets 2014-10-02 13:41:57 +03:00
bridge netfilter: nft_reject_bridge: don't use IP stack to reject traffic 2014-10-31 12:50:08 +01:00
caif caif_usb: use target structure member in memset 2014-10-14 16:05:45 -04:00
can
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2014-10-15 06:46:01 +02:00
core net: core: handle encapsulation offloads when computing segment lengths 2014-10-20 12:38:13 -04:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-10-18 09:31:37 -07:00
decnet
dns_resolver Merge commit 'v3.16' into next 2014-10-01 00:44:04 +10:00
dsa Net: DSA: Fix checking for get_phy_flags function 2014-10-19 12:46:31 -04:00
ethernet
hsr
ieee802154 Merge tag 'master-2014-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next 2014-10-05 21:34:39 -04:00
ipv4 netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions 2014-10-31 12:49:05 +01:00
ipv6 netfilter: nf_reject_ipv6: split nf_send_reset6() in smaller functions 2014-10-31 12:49:57 +01:00
ipx
irda irda: add __init to irlan_open 2014-09-30 17:08:06 -04:00
iucv
key
l2tp
lapb
llc net_dma: simple removal 2014-09-28 07:05:16 -07:00
mac80211 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-10-07 14:48:29 -04:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-10-08 21:40:54 -04:00
mpls net: gso: use feature flag argument in all protocol gso handlers 2014-10-20 12:38:12 -04:00
netfilter ipvs: Avoid null-pointer deref in debug code 2014-10-28 09:48:31 +09:00
netlabel netlabel: kernel-doc warning fix 2014-10-09 01:40:05 -04:00
netlink netlink: Re-add locking to netlink_lookup() and seq walker 2014-10-21 21:34:49 -04:00
netrom netrom: use linux/uaccess.h 2014-10-17 23:52:54 -04:00
nfc
openvswitch net: make skb_gso_segment error handling more robust 2014-10-20 12:38:13 -04:00
packet
phonet net: fix rcu access on phonet_routes 2014-10-06 18:16:30 -04:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-10-18 09:31:37 -07:00
rfkill net: rfkill: kernel-doc warning fixes 2014-10-08 15:24:15 -04:00
rose
rxrpc Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2014-10-12 10:13:55 -04:00
sched net: sched: initialize bstats syncp 2014-10-21 21:45:21 -04:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-10-18 09:31:37 -07:00
sunrpc Merge branch 'for-3.18' of git://linux-nfs.org/~bfields/linux 2014-10-08 12:51:44 -04:00
tipc tipc: fix lockdep warning when intra-node messages are delivered 2014-10-21 15:28:15 -04:00
unix af_unix: remove 0 assignment on static 2014-10-07 17:03:14 -04:00
vmw_vsock
wimax wimax: convert printk to pr_foo() 2014-10-07 20:28:44 -04:00
wireless lib80211: remove unused print_ssid() 2014-10-14 02:18:27 +02:00
x25
xfrm net: make skb_gso_segment error handling more robust 2014-10-20 12:38:13 -04:00
compat.c
Kconfig net: bpf: fix bpf syscall dependence on anon_inodes 2014-10-10 15:02:23 -04:00
Makefile
nonet.c
socket.c File locking related changes for v3.18 (pile #1) 2014-10-11 13:21:34 -04:00
sysctl_net.c