diff options
| author | Phil Oester | 2013-06-26 23:16:28 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso | 2013-08-28 00:13:12 +0200 |
| commit | affe759dbaa9e6c08b0da0a11d1933b61f199f51 (patch) | |
| tree | f232ec8dcf549c3903b3a959480e79e9dba573c1 /include/net/netfilter/nf_conntrack_seqadj.h | |
| parent | e1000e: balance semaphore put/get for 82573 (diff) | |
| download | kernel-qcow2-linux-affe759dbaa9e6c08b0da0a11d1933b61f199f51.tar.gz kernel-qcow2-linux-affe759dbaa9e6c08b0da0a11d1933b61f199f51.tar.xz kernel-qcow2-linux-affe759dbaa9e6c08b0da0a11d1933b61f199f51.zip | |
netfilter: ip[6]t_REJECT: tcp-reset using wrong MAC source if bridged
As reported by Casper Gripenberg, in a bridged setup, using ip[6]t_REJECT
with the tcp-reset option sends out reset packets with the src MAC address
of the local bridge interface, instead of the MAC address of the intended
destination. This causes some routers/firewalls to drop the reset packet
as it appears to be spoofed. Fix this by bypassing ip[6]_local_out and
setting the MAC of the sender in the tcp reset packet.
This closes netfilter bugzilla #531.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net/netfilter/nf_conntrack_seqadj.h')
0 files changed, 0 insertions, 0 deletions