netfilter: reject: don't send icmp error if csum is invalid

[karo-tx-linux.git] / net / ipv4 / netfilter / nf_reject_ipv4.c

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 536da7bc598ae9321224bb16c8d800571a163153..b7405eb7f1ef566570f8f5d6cd4aa20a591bb40a 100644 (file)
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -164,4 +164,27 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
 }
 EXPORT_SYMBOL_GPL(nf_send_reset);
 
+void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
+{
+       struct iphdr *iph = ip_hdr(skb_in);
+       u8 proto;
+
+       if (skb_in->csum_bad || iph->frag_off & htons(IP_OFFSET))
+               return;
+
+       if (skb_csum_unnecessary(skb_in)) {
+               icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
+               return;
+       }
+
+       if (iph->protocol == IPPROTO_TCP || iph->protocol == IPPROTO_UDP)
+               proto = iph->protocol;
+       else
+               proto = 0;
+
+       if (nf_ip_checksum(skb_in, hook, ip_hdrlen(skb_in), proto) == 0)
+               icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
+}
+EXPORT_SYMBOL_GPL(nf_send_unreach);
+
 MODULE_LICENSE("GPL");