[linux-2.6-block.git] / net / ipv4 / netfilter / nf_reject_ipv4.c

// SPDX-License-Identifier: GPL-2.0-only
/* (C) 1999-2001 Paul `Rusty' Russell
 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
 */

#include <linux/module.h>
#include <net/ip.h>
#include <net/tcp.h>
#include <net/route.h>
#include <net/dst.h>
#include <net/netfilter/ipv4/nf_reject.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_bridge.h>

static int nf_reject_iphdr_validate(struct sk_buff *skb)
{
	struct iphdr *iph;
	u32 len;

	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
		return 0;

	iph = ip_hdr(skb);
	if (iph->ihl < 5 || iph->version != 4)
		return 0;

	len = ntohs(iph->tot_len);
	if (skb->len < len)
		return 0;
	else if (len < (iph->ihl*4))
		return 0;

	if (!pskb_may_pull(skb, iph->ihl*4))
		return 0;

	return 1;
}

struct sk_buff *nf_reject_skb_v4_tcp_reset(struct net *net,
					   struct sk_buff *oldskb,
					   const struct net_device *dev,
					   int hook)
{
	const struct tcphdr *oth;
	struct sk_buff *nskb;
	struct iphdr *niph;
	struct tcphdr _oth;

	if (!nf_reject_iphdr_validate(oldskb))
		return NULL;

	oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
	if (!oth)
		return NULL;

	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
			 LL_MAX_HEADER, GFP_ATOMIC);
	if (!nskb)
		return NULL;

	nskb->dev = (struct net_device *)dev;

	skb_reserve(nskb, LL_MAX_HEADER);
	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
				   READ_ONCE(net->ipv4.sysctl_ip_default_ttl));
	nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
	niph->tot_len = htons(nskb->len);
	ip_send_check(niph);

	return nskb;
}
EXPORT_SYMBOL_GPL(nf_reject_skb_v4_tcp_reset);

struct sk_buff *nf_reject_skb_v4_unreach(struct net *net,
					 struct sk_buff *oldskb,
					 const struct net_device *dev,
					 int hook, u8 code)
{
	struct sk_buff *nskb;
	struct iphdr *niph;
	struct icmphdr *icmph;
	unsigned int len;
	int dataoff;
	__wsum csum;
	u8 proto;

	if (!nf_reject_iphdr_validate(oldskb))
		return NULL;

	/* IP header checks: fragment. */
	if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
		return NULL;

	/* RFC says return as much as we can without exceeding 576 bytes. */
	len = min_t(unsigned int, 536, oldskb->len);

	if (!pskb_may_pull(oldskb, len))
		return NULL;

	if (pskb_trim_rcsum(oldskb, ntohs(ip_hdr(oldskb)->tot_len)))
		return NULL;

	dataoff = ip_hdrlen(oldskb);
	proto = ip_hdr(oldskb)->protocol;

	if (!skb_csum_unnecessary(oldskb) &&
	    nf_reject_verify_csum(oldskb, dataoff, proto) &&
	    nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), proto))
		return NULL;

	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr) +
			 LL_MAX_HEADER + len, GFP_ATOMIC);
	if (!nskb)
		return NULL;

	nskb->dev = (struct net_device *)dev;

	skb_reserve(nskb, LL_MAX_HEADER);
	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_ICMP,
				   READ_ONCE(net->ipv4.sysctl_ip_default_ttl));

	skb_reset_transport_header(nskb);
	icmph = skb_put_zero(nskb, sizeof(struct icmphdr));
	icmph->type     = ICMP_DEST_UNREACH;
	icmph->code	= code;

	skb_put_data(nskb, skb_network_header(oldskb), len);

	csum = csum_partial((void *)icmph, len + sizeof(struct icmphdr), 0);
	icmph->checksum = csum_fold(csum);

	niph->tot_len	= htons(nskb->len);
	ip_send_check(niph);

	return nskb;
}
EXPORT_SYMBOL_GPL(nf_reject_skb_v4_unreach);

const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb,
					     struct tcphdr *_oth, int hook)
{
	const struct tcphdr *oth;

	/* IP header checks: fragment. */
	if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
		return NULL;

	if (ip_hdr(oldskb)->protocol != IPPROTO_TCP)
		return NULL;

	oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
				 sizeof(struct tcphdr), _oth);
	if (oth == NULL)
		return NULL;

	/* No RST for RST. */
	if (oth->rst)
		return NULL;

	/* Check checksum */
	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
		return NULL;

	return oth;
}
EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_get);

struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb,
				  const struct sk_buff *oldskb,
				  __u8 protocol, int ttl)
{
	struct iphdr *niph, *oiph = ip_hdr(oldskb);

	skb_reset_network_header(nskb);
	niph = skb_put(nskb, sizeof(struct iphdr));
	niph->version	= 4;
	niph->ihl	= sizeof(struct iphdr) / 4;
	niph->tos	= 0;
	niph->id	= 0;
	niph->frag_off	= htons(IP_DF);
	niph->protocol	= protocol;
	niph->check	= 0;
	niph->saddr	= oiph->daddr;
	niph->daddr	= oiph->saddr;
	niph->ttl	= ttl;

	nskb->protocol = htons(ETH_P_IP);

	return niph;
}
EXPORT_SYMBOL_GPL(nf_reject_iphdr_put);

void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb,
			  const struct tcphdr *oth)
{
	struct iphdr *niph = ip_hdr(nskb);
	struct tcphdr *tcph;

	skb_reset_transport_header(nskb);
	tcph = skb_put_zero(nskb, sizeof(struct tcphdr));
	tcph->source	= oth->dest;
	tcph->dest	= oth->source;
	tcph->doff	= sizeof(struct tcphdr) / 4;

	if (oth->ack) {
		tcph->seq = oth->ack_seq;
	} else {
		tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
				      oldskb->len - ip_hdrlen(oldskb) -
				      (oth->doff << 2));
		tcph->ack = 1;
	}

	tcph->rst	= 1;
	tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
				    niph->daddr, 0);
	nskb->ip_summed = CHECKSUM_PARTIAL;
	nskb->csum_start = (unsigned char *)tcph - nskb->head;
	nskb->csum_offset = offsetof(struct tcphdr, check);
}
EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_put);

static int nf_reject_fill_skb_dst(struct sk_buff *skb_in)
{
	struct dst_entry *dst = NULL;
	struct flowi fl;

	memset(&fl, 0, sizeof(struct flowi));
	fl.u.ip4.daddr = ip_hdr(skb_in)->saddr;
	nf_ip_route(dev_net(skb_in->dev), &dst, &fl, false);
	if (!dst)
		return -1;

	skb_dst_set(skb_in, dst);
	return 0;
}

/* Send RST reply */
void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
		   int hook)
{
	struct net_device *br_indev __maybe_unused;
	struct sk_buff *nskb;
	struct iphdr *niph;
	const struct tcphdr *oth;
	struct tcphdr _oth;

	oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
	if (!oth)
		return;

	if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) &&
	    nf_reject_fill_skb_dst(oldskb) < 0)
		return;

	if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
		return;

	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
			 LL_MAX_HEADER, GFP_ATOMIC);
	if (!nskb)
		return;

	/* ip_route_me_harder expects skb->dst to be set */
	skb_dst_set_noref(nskb, skb_dst(oldskb));

	nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);

	skb_reserve(nskb, LL_MAX_HEADER);
	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
				   ip4_dst_hoplimit(skb_dst(nskb)));
	nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
	if (ip_route_me_harder(net, sk, nskb, RTN_UNSPEC))
		goto free_nskb;

	niph = ip_hdr(nskb);

	/* "Never happens" */
	if (nskb->len > dst_mtu(skb_dst(nskb)))
		goto free_nskb;

	nf_ct_attach(nskb, oldskb);

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
	/* If we use ip_local_out for bridged traffic, the MAC source on
	 * the RST will be ours, instead of the destination's.  This confuses
	 * some routers/firewalls, and they drop the packet.  So we need to
	 * build the eth header using the original destination's MAC as the
	 * source, and send the RST packet directly.
	 */
	br_indev = nf_bridge_get_physindev(oldskb);
	if (br_indev) {
		struct ethhdr *oeth = eth_hdr(oldskb);

		nskb->dev = br_indev;
		niph->tot_len = htons(nskb->len);
		ip_send_check(niph);
		if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol),
				    oeth->h_source, oeth->h_dest, nskb->len) < 0)
			goto free_nskb;
		dev_queue_xmit(nskb);
	} else
#endif
		ip_local_out(net, nskb->sk, nskb);

	return;

 free_nskb:
	kfree_skb(nskb);
}
EXPORT_SYMBOL_GPL(nf_send_reset);

void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
{
	struct iphdr *iph = ip_hdr(skb_in);
	int dataoff = ip_hdrlen(skb_in);
	u8 proto = iph->protocol;

	if (iph->frag_off & htons(IP_OFFSET))
		return;

	if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) &&
	    nf_reject_fill_skb_dst(skb_in) < 0)
		return;

	if (skb_csum_unnecessary(skb_in) ||
	    !nf_reject_verify_csum(skb_in, dataoff, proto)) {
		icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
		return;
	}

	if (nf_ip_checksum(skb_in, hook, dataoff, proto) == 0)
		icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
}
EXPORT_SYMBOL_GPL(nf_send_unreach);

MODULE_LICENSE("GPL");
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
c8d7b98b PNA	2	/* (C) 1999-2001 Paul `Rusty' Russell
c8d7b98b PNA	3	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
c8d7b98b PNA	4	*/
c8d7b98b PNA	5
ab2d7251	6	#include <linux/module.h>
c8d7b98b PNA	7	#include <net/ip.h>
	8	#include <net/tcp.h>
	9	#include <net/route.h>
	10	#include <net/dst.h>
56768644	11	#include <net/netfilter/ipv4/nf_reject.h>
c8d7b98b	12	#include <linux/netfilter_ipv4.h>
c737b7c4	13	#include <linux/netfilter_bridge.h>
c8d7b98b	14
fa538f7c JGG	15	static int nf_reject_iphdr_validate(struct sk_buff *skb)
	16	{
	17	struct iphdr *iph;
	18	u32 len;
	19
	20	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
	21	return 0;
	22
	23	iph = ip_hdr(skb);
	24	if (iph->ihl < 5 \|\| iph->version != 4)
	25	return 0;
	26
	27	len = ntohs(iph->tot_len);
	28	if (skb->len < len)
	29	return 0;
	30	else if (len < (iph->ihl*4))
	31	return 0;
	32
	33	if (!pskb_may_pull(skb, iph->ihl*4))
	34	return 0;
	35
	36	return 1;
	37	}
	38
	39	struct sk_buff nf_reject_skb_v4_tcp_reset(struct net net,
	40	struct sk_buff *oldskb,
	41	const struct net_device *dev,
	42	int hook)
	43	{
	44	const struct tcphdr *oth;
	45	struct sk_buff *nskb;
	46	struct iphdr *niph;
	47	struct tcphdr _oth;
	48
	49	if (!nf_reject_iphdr_validate(oldskb))
	50	return NULL;
	51
	52	oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
	53	if (!oth)
	54	return NULL;
	55
	56	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
	57	LL_MAX_HEADER, GFP_ATOMIC);
	58	if (!nskb)
	59	return NULL;
	60
	61	nskb->dev = (struct net_device *)dev;
	62
	63	skb_reserve(nskb, LL_MAX_HEADER);
	64	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
8281b7ec	65	READ_ONCE(net->ipv4.sysctl_ip_default_ttl));
fa538f7c JGG	66	nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
	67	niph->tot_len = htons(nskb->len);
	68	ip_send_check(niph);
	69
	70	return nskb;
	71	}
	72	EXPORT_SYMBOL_GPL(nf_reject_skb_v4_tcp_reset);
	73
	74	struct sk_buff nf_reject_skb_v4_unreach(struct net net,
	75	struct sk_buff *oldskb,
	76	const struct net_device *dev,
	77	int hook, u8 code)
	78	{
	79	struct sk_buff *nskb;
	80	struct iphdr *niph;
	81	struct icmphdr *icmph;
	82	unsigned int len;
4f9bd530	83	int dataoff;
fa538f7c JGG	84	__wsum csum;
	85	u8 proto;
	86
	87	if (!nf_reject_iphdr_validate(oldskb))
	88	return NULL;
	89
	90	/* IP header checks: fragment. */
	91	if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
	92	return NULL;
	93
	94	/* RFC says return as much as we can without exceeding 576 bytes. */
	95	len = min_t(unsigned int, 536, oldskb->len);
	96
	97	if (!pskb_may_pull(oldskb, len))
	98	return NULL;
	99
	100	if (pskb_trim_rcsum(oldskb, ntohs(ip_hdr(oldskb)->tot_len)))
	101	return NULL;
	102
4f9bd530	103	dataoff = ip_hdrlen(oldskb);
fa538f7c JGG	104	proto = ip_hdr(oldskb)->protocol;
	105
	106	if (!skb_csum_unnecessary(oldskb) &&
4f9bd530	107	nf_reject_verify_csum(oldskb, dataoff, proto) &&
fa538f7c JGG	108	nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), proto))
	109	return NULL;
	110
	111	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr) +
	112	LL_MAX_HEADER + len, GFP_ATOMIC);
	113	if (!nskb)
	114	return NULL;
	115
	116	nskb->dev = (struct net_device *)dev;
	117
	118	skb_reserve(nskb, LL_MAX_HEADER);
	119	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_ICMP,
8281b7ec	120	READ_ONCE(net->ipv4.sysctl_ip_default_ttl));
fa538f7c JGG	121
	122	skb_reset_transport_header(nskb);
	123	icmph = skb_put_zero(nskb, sizeof(struct icmphdr));
	124	icmph->type = ICMP_DEST_UNREACH;
	125	icmph->code = code;
	126
	127	skb_put_data(nskb, skb_network_header(oldskb), len);
	128
	129	csum = csum_partial((void *)icmph, len + sizeof(struct icmphdr), 0);
	130	icmph->checksum = csum_fold(csum);
	131
	132	niph->tot_len = htons(nskb->len);
	133	ip_send_check(niph);
	134
	135	return nskb;
	136	}
	137	EXPORT_SYMBOL_GPL(nf_reject_skb_v4_unreach);
	138
052b9498 PNA	139	const struct tcphdr nf_reject_ip_tcphdr_get(struct sk_buff oldskb,
052b9498 PNA	140	struct tcphdr *_oth, int hook)
c8d7b98b	141	{
c8d7b98b	142	const struct tcphdr *oth;
c8d7b98b PNA	143
	144	/* IP header checks: fragment. */
	145	if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
052b9498	146	return NULL;
c8d7b98b	147
e1dbbc59 LZ	148	if (ip_hdr(oldskb)->protocol != IPPROTO_TCP)
	149	return NULL;
	150
c8d7b98b	151	oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
052b9498	152	sizeof(struct tcphdr), _oth);
c8d7b98b	153	if (oth == NULL)
052b9498	154	return NULL;
c8d7b98b PNA	155
	156	/* No RST for RST. */
	157	if (oth->rst)
052b9498	158	return NULL;
c8d7b98b PNA	159
	160	/* Check checksum */
	161	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
052b9498	162	return NULL;
c8d7b98b	163
052b9498 PNA	164	return oth;
	165	}
	166	EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_get);
c8d7b98b	167
052b9498 PNA	168	struct iphdr nf_reject_iphdr_put(struct sk_buff nskb,
052b9498 PNA	169	const struct sk_buff *oldskb,
a03a8dbe	170	__u8 protocol, int ttl)
052b9498 PNA	171	{
052b9498 PNA	172	struct iphdr niph, oiph = ip_hdr(oldskb);
c8d7b98b PNA	173
c8d7b98b PNA	174	skb_reset_network_header(nskb);
4df864c1	175	niph = skb_put(nskb, sizeof(struct iphdr));
c8d7b98b PNA	176	niph->version = 4;
	177	niph->ihl = sizeof(struct iphdr) / 4;
	178	niph->tos = 0;
	179	niph->id = 0;
	180	niph->frag_off = htons(IP_DF);
052b9498	181	niph->protocol = protocol;
c8d7b98b PNA	182	niph->check = 0;
	183	niph->saddr = oiph->daddr;
	184	niph->daddr = oiph->saddr;
052b9498 PNA	185	niph->ttl = ttl;
	186
	187	nskb->protocol = htons(ETH_P_IP);
	188
	189	return niph;
	190	}
	191	EXPORT_SYMBOL_GPL(nf_reject_iphdr_put);
	192
	193	void nf_reject_ip_tcphdr_put(struct sk_buff nskb, const struct sk_buff oldskb,
	194	const struct tcphdr *oth)
	195	{
	196	struct iphdr *niph = ip_hdr(nskb);
	197	struct tcphdr *tcph;
c8d7b98b PNA	198
c8d7b98b PNA	199	skb_reset_transport_header(nskb);
b080db58	200	tcph = skb_put_zero(nskb, sizeof(struct tcphdr));
c8d7b98b PNA	201	tcph->source = oth->dest;
	202	tcph->dest = oth->source;
	203	tcph->doff = sizeof(struct tcphdr) / 4;
	204
052b9498	205	if (oth->ack) {
c8d7b98b	206	tcph->seq = oth->ack_seq;
052b9498	207	} else {
c8d7b98b PNA	208	tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
	209	oldskb->len - ip_hdrlen(oldskb) -
	210	(oth->doff << 2));
	211	tcph->ack = 1;
	212	}
	213
	214	tcph->rst = 1;
	215	tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
	216	niph->daddr, 0);
	217	nskb->ip_summed = CHECKSUM_PARTIAL;
	218	nskb->csum_start = (unsigned char *)tcph - nskb->head;
	219	nskb->csum_offset = offsetof(struct tcphdr, check);
052b9498 PNA	220	}
	221	EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_put);
	222
f53b9b0b LGL	223	static int nf_reject_fill_skb_dst(struct sk_buff *skb_in)
	224	{
	225	struct dst_entry *dst = NULL;
	226	struct flowi fl;
	227
	228	memset(&fl, 0, sizeof(struct flowi));
	229	fl.u.ip4.daddr = ip_hdr(skb_in)->saddr;
	230	nf_ip_route(dev_net(skb_in->dev), &dst, &fl, false);
	231	if (!dst)
	232	return -1;
	233
	234	skb_dst_set(skb_in, dst);
	235	return 0;
	236	}
	237
052b9498	238	/* Send RST reply */
04295878 JE	239	void nf_send_reset(struct net net, struct sock sk, struct sk_buff *oldskb,
04295878 JE	240	int hook)
052b9498	241	{
c4b0e771	242	struct net_device *br_indev __maybe_unused;
052b9498	243	struct sk_buff *nskb;
052b9498 PNA	244	struct iphdr *niph;
	245	const struct tcphdr *oth;
	246	struct tcphdr _oth;
	247
	248	oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
	249	if (!oth)
	250	return;
	251
117ca1f8 PNA	252	if ((hook == NF_INET_PRE_ROUTING \|\| hook == NF_INET_INGRESS) &&
117ca1f8 PNA	253	nf_reject_fill_skb_dst(oldskb) < 0)
f53b9b0b LGL	254	return;
f53b9b0b LGL	255
052b9498 PNA	256	if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST \| RTCF_MULTICAST))
	257	return;
	258
052b9498 PNA	259	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
	260	LL_MAX_HEADER, GFP_ATOMIC);
	261	if (!nskb)
	262	return;
c8d7b98b PNA	263
	264	/* ip_route_me_harder expects skb->dst to be set */
	265	skb_dst_set_noref(nskb, skb_dst(oldskb));
	266
cc31d43b PEP	267	nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
cc31d43b PEP	268
052b9498 PNA	269	skb_reserve(nskb, LL_MAX_HEADER);
	270	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
	271	ip4_dst_hoplimit(skb_dst(nskb)));
	272	nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
04295878	273	if (ip_route_me_harder(net, sk, nskb, RTN_UNSPEC))
c8d7b98b PNA	274	goto free_nskb;
c8d7b98b PNA	275
7400bb4b TT	276	niph = ip_hdr(nskb);
7400bb4b TT	277
c8d7b98b PNA	278	/* "Never happens" */
	279	if (nskb->len > dst_mtu(skb_dst(nskb)))
	280	goto free_nskb;
	281
	282	nf_ct_attach(nskb, oldskb);
	283
	284	#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
	285	/* If we use ip_local_out for bridged traffic, the MAC source on
	286	* the RST will be ours, instead of the destination's. This confuses
	287	* some routers/firewalls, and they drop the packet. So we need to
	288	* build the eth header using the original destination's MAC as the
	289	* source, and send the RST packet directly.
	290	*/
c4b0e771 FW	291	br_indev = nf_bridge_get_physindev(oldskb);
c4b0e771 FW	292	if (br_indev) {
c8d7b98b	293	struct ethhdr *oeth = eth_hdr(oldskb);
c737b7c4	294
c4b0e771	295	nskb->dev = br_indev;
c8d7b98b PNA	296	niph->tot_len = htons(nskb->len);
	297	ip_send_check(niph);
	298	if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol),
	299	oeth->h_source, oeth->h_dest, nskb->len) < 0)
	300	goto free_nskb;
	301	dev_queue_xmit(nskb);
	302	} else
	303	#endif
33224b16	304	ip_local_out(net, nskb->sk, nskb);
c8d7b98b PNA	305
	306	return;
	307
	308	free_nskb:
	309	kfree_skb(nskb);
	310	}
	311	EXPORT_SYMBOL_GPL(nf_send_reset);
ab2d7251	312
ee586bbc FW	313	void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
	314	{
	315	struct iphdr *iph = ip_hdr(skb_in);
4f9bd530	316	int dataoff = ip_hdrlen(skb_in);
7fc38225	317	u8 proto = iph->protocol;
ee586bbc	318
219f1d79	319	if (iph->frag_off & htons(IP_OFFSET))
ee586bbc FW	320	return;
ee586bbc FW	321
117ca1f8 PNA	322	if ((hook == NF_INET_PRE_ROUTING \|\| hook == NF_INET_INGRESS) &&
117ca1f8 PNA	323	nf_reject_fill_skb_dst(skb_in) < 0)
f53b9b0b LGL	324	return;
f53b9b0b LGL	325
4f9bd530 KM	326	if (skb_csum_unnecessary(skb_in) \|\|
4f9bd530 KM	327	!nf_reject_verify_csum(skb_in, dataoff, proto)) {
ee586bbc FW	328	icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
	329	return;
	330	}
	331
4f9bd530	332	if (nf_ip_checksum(skb_in, hook, dataoff, proto) == 0)
ee586bbc FW	333	icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
	334	}
	335	EXPORT_SYMBOL_GPL(nf_send_unreach);
	336
ab2d7251	337	MODULE_LICENSE("GPL");