+10

include/net/netfilter/ipv4/nf_reject.h

reviewed

··· 18 18 void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb, 19 19 const struct tcphdr *oth); 20 20 21 21 + struct sk_buff *nf_reject_skb_v4_unreach(struct net *net, 22 22 + struct sk_buff *oldskb, 23 23 + const struct net_device *dev, 24 24 + int hook, u8 code); 25 25 + struct sk_buff *nf_reject_skb_v4_tcp_reset(struct net *net, 26 26 + struct sk_buff *oldskb, 27 27 + const struct net_device *dev, 28 28 + int hook); 29 29 + 30 30 + 21 31 #endif /* _IPV4_NF_REJECT_H */

+9

include/net/netfilter/ipv6/nf_reject.h

reviewed

··· 20 20 const struct sk_buff *oldskb, 21 21 const struct tcphdr *oth, unsigned int otcplen); 22 22 23 23 + struct sk_buff *nf_reject_skb_v6_tcp_reset(struct net *net, 24 24 + struct sk_buff *oldskb, 25 25 + const struct net_device *dev, 26 26 + int hook); 27 27 + struct sk_buff *nf_reject_skb_v6_unreach(struct net *net, 28 28 + struct sk_buff *oldskb, 29 29 + const struct net_device *dev, 30 30 + int hook, u8 code); 31 31 + 23 32 #endif /* _IPV6_NF_REJECT_H */

+1 -1

net/bridge/netfilter/Kconfig

reviewed

··· 17 17 18 18 config NFT_BRIDGE_REJECT 19 19 tristate "Netfilter nf_tables bridge reject support" 20 20 - depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6 20 20 + depends on NFT_REJECT 21 21 help 22 22 Add support to reject packets. 23 23

+4 -191

net/bridge/netfilter/nft_reject_bridge.c

reviewed

··· 39 39 } 40 40 } 41 41 42 42 - static int nft_bridge_iphdr_validate(struct sk_buff *skb) 43 43 - { 44 44 - struct iphdr *iph; 45 45 - u32 len; 46 46 - 47 47 - if (!pskb_may_pull(skb, sizeof(struct iphdr))) 48 48 - return 0; 49 49 - 50 50 - iph = ip_hdr(skb); 51 51 - if (iph->ihl < 5 || iph->version != 4) 52 52 - return 0; 53 53 - 54 54 - len = ntohs(iph->tot_len); 55 55 - if (skb->len < len) 56 56 - return 0; 57 57 - else if (len < (iph->ihl*4)) 58 58 - return 0; 59 59 - 60 60 - if (!pskb_may_pull(skb, iph->ihl*4)) 61 61 - return 0; 62 62 - 63 63 - return 1; 64 64 - } 65 65 - 66 42 /* We cannot use oldskb->dev, it can be either bridge device (NF_BRIDGE INPUT) 67 43 * or the bridge port (NF_BRIDGE PREROUTING). 68 44 */ ··· 48 72 int hook) 49 73 { 50 74 struct sk_buff *nskb; 51 51 - struct iphdr *niph; 52 52 - const struct tcphdr *oth; 53 53 - struct tcphdr _oth; 54 75 55 55 - if (!nft_bridge_iphdr_validate(oldskb)) 56 56 - return; 57 57 - 58 58 - oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook); 59 59 - if (!oth) 60 60 - return; 61 61 - 62 62 - nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + 63 63 - LL_MAX_HEADER, GFP_ATOMIC); 76 76 + nskb = nf_reject_skb_v4_tcp_reset(net, oldskb, dev, hook); 64 77 if (!nskb) 65 78 return; 66 66 - 67 67 - skb_reserve(nskb, LL_MAX_HEADER); 68 68 - niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP, 69 69 - net->ipv4.sysctl_ip_default_ttl); 70 70 - nf_reject_ip_tcphdr_put(nskb, oldskb, oth); 71 71 - niph->tot_len = htons(nskb->len); 72 72 - ip_send_check(niph); 73 79 74 80 nft_reject_br_push_etherhdr(oldskb, nskb); 75 81 ··· 64 106 int hook, u8 code) 65 107 { 66 108 struct sk_buff *nskb; 67 67 - struct iphdr *niph; 68 68 - struct icmphdr *icmph; 69 69 - unsigned int len; 70 70 - __wsum csum; 71 71 - u8 proto; 72 109 73 73 - if (!nft_bridge_iphdr_validate(oldskb)) 74 74 - return; 75 75 - 76 76 - /* IP header checks: fragment. */ 77 77 - if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) 78 78 - return; 79 79 - 80 80 - /* RFC says return as much as we can without exceeding 576 bytes. */ 81 81 - len = min_t(unsigned int, 536, oldskb->len); 82 82 - 83 83 - if (!pskb_may_pull(oldskb, len)) 84 84 - return; 85 85 - 86 86 - if (pskb_trim_rcsum(oldskb, ntohs(ip_hdr(oldskb)->tot_len))) 87 87 - return; 88 88 - 89 89 - proto = ip_hdr(oldskb)->protocol; 90 90 - 91 91 - if (!skb_csum_unnecessary(oldskb) && 92 92 - nf_reject_verify_csum(proto) && 93 93 - nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), proto)) 94 94 - return; 95 95 - 96 96 - nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr) + 97 97 - LL_MAX_HEADER + len, GFP_ATOMIC); 110 110 + nskb = nf_reject_skb_v4_unreach(net, oldskb, dev, hook, code); 98 111 if (!nskb) 99 112 return; 100 100 - 101 101 - skb_reserve(nskb, LL_MAX_HEADER); 102 102 - niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_ICMP, 103 103 - net->ipv4.sysctl_ip_default_ttl); 104 104 - 105 105 - skb_reset_transport_header(nskb); 106 106 - icmph = skb_put_zero(nskb, sizeof(struct icmphdr)); 107 107 - icmph->type = ICMP_DEST_UNREACH; 108 108 - icmph->code = code; 109 109 - 110 110 - skb_put_data(nskb, skb_network_header(oldskb), len); 111 111 - 112 112 - csum = csum_partial((void *)icmph, len + sizeof(struct icmphdr), 0); 113 113 - icmph->checksum = csum_fold(csum); 114 114 - 115 115 - niph->tot_len = htons(nskb->len); 116 116 - ip_send_check(niph); 117 113 118 114 nft_reject_br_push_etherhdr(oldskb, nskb); 119 115 120 116 br_forward(br_port_get_rcu(dev), nskb, false, true); 121 121 - } 122 122 - 123 123 - static int nft_bridge_ip6hdr_validate(struct sk_buff *skb) 124 124 - { 125 125 - struct ipv6hdr *hdr; 126 126 - u32 pkt_len; 127 127 - 128 128 - if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) 129 129 - return 0; 130 130 - 131 131 - hdr = ipv6_hdr(skb); 132 132 - if (hdr->version != 6) 133 133 - return 0; 134 134 - 135 135 - pkt_len = ntohs(hdr->payload_len); 136 136 - if (pkt_len + sizeof(struct ipv6hdr) > skb->len) 137 137 - return 0; 138 138 - 139 139 - return 1; 140 117 } 141 118 142 119 static void nft_reject_br_send_v6_tcp_reset(struct net *net, ··· 80 187 int hook) 81 188 { 82 189 struct sk_buff *nskb; 83 83 - const struct tcphdr *oth; 84 84 - struct tcphdr _oth; 85 85 - unsigned int otcplen; 86 86 - struct ipv6hdr *nip6h; 87 190 88 88 - if (!nft_bridge_ip6hdr_validate(oldskb)) 89 89 - return; 90 90 - 91 91 - oth = nf_reject_ip6_tcphdr_get(oldskb, &_oth, &otcplen, hook); 92 92 - if (!oth) 93 93 - return; 94 94 - 95 95 - nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct tcphdr) + 96 96 - LL_MAX_HEADER, GFP_ATOMIC); 191 191 + nskb = nf_reject_skb_v6_tcp_reset(net, oldskb, dev, hook); 97 192 if (!nskb) 98 193 return; 99 99 - 100 100 - skb_reserve(nskb, LL_MAX_HEADER); 101 101 - nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP, 102 102 - net->ipv6.devconf_all->hop_limit); 103 103 - nf_reject_ip6_tcphdr_put(nskb, oldskb, oth, otcplen); 104 104 - nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr)); 105 194 106 195 nft_reject_br_push_etherhdr(oldskb, nskb); 107 196 108 197 br_forward(br_port_get_rcu(dev), nskb, false, true); 109 198 } 110 199 111 111 - static bool reject6_br_csum_ok(struct sk_buff *skb, int hook) 112 112 - { 113 113 - const struct ipv6hdr *ip6h = ipv6_hdr(skb); 114 114 - int thoff; 115 115 - __be16 fo; 116 116 - u8 proto = ip6h->nexthdr; 117 117 - 118 118 - if (skb_csum_unnecessary(skb)) 119 119 - return true; 120 120 - 121 121 - if (ip6h->payload_len && 122 122 - pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h))) 123 123 - return false; 124 124 - 125 125 - ip6h = ipv6_hdr(skb); 126 126 - thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo); 127 127 - if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0) 128 128 - return false; 129 129 - 130 130 - if (!nf_reject_verify_csum(proto)) 131 131 - return true; 132 132 - 133 133 - return nf_ip6_checksum(skb, hook, thoff, proto) == 0; 134 134 - } 135 200 136 201 static void nft_reject_br_send_v6_unreach(struct net *net, 137 202 struct sk_buff *oldskb, ··· 97 246 int hook, u8 code) 98 247 { 99 248 struct sk_buff *nskb; 100 100 - struct ipv6hdr *nip6h; 101 101 - struct icmp6hdr *icmp6h; 102 102 - unsigned int len; 103 249 104 104 - if (!nft_bridge_ip6hdr_validate(oldskb)) 105 105 - return; 106 106 - 107 107 - /* Include "As much of invoking packet as possible without the ICMPv6 108 108 - * packet exceeding the minimum IPv6 MTU" in the ICMP payload. 109 109 - */ 110 110 - len = min_t(unsigned int, 1220, oldskb->len); 111 111 - 112 112 - if (!pskb_may_pull(oldskb, len)) 113 113 - return; 114 114 - 115 115 - if (!reject6_br_csum_ok(oldskb, hook)) 116 116 - return; 117 117 - 118 118 - nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr) + 119 119 - LL_MAX_HEADER + len, GFP_ATOMIC); 250 250 + nskb = nf_reject_skb_v6_unreach(net, oldskb, dev, hook, code); 120 251 if (!nskb) 121 252 return; 122 122 - 123 123 - skb_reserve(nskb, LL_MAX_HEADER); 124 124 - nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_ICMPV6, 125 125 - net->ipv6.devconf_all->hop_limit); 126 126 - 127 127 - skb_reset_transport_header(nskb); 128 128 - icmp6h = skb_put_zero(nskb, sizeof(struct icmp6hdr)); 129 129 - icmp6h->icmp6_type = ICMPV6_DEST_UNREACH; 130 130 - icmp6h->icmp6_code = code; 131 131 - 132 132 - skb_put_data(nskb, skb_network_header(oldskb), len); 133 133 - nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr)); 134 134 - 135 135 - icmp6h->icmp6_cksum = 136 136 - csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, 137 137 - nskb->len - sizeof(struct ipv6hdr), 138 138 - IPPROTO_ICMPV6, 139 139 - csum_partial(icmp6h, 140 140 - nskb->len - sizeof(struct ipv6hdr), 141 141 - 0)); 142 253 143 254 nft_reject_br_push_etherhdr(oldskb, nskb); 144 255

+122

net/ipv4/netfilter/nf_reject_ipv4.c

reviewed

··· 12 12 #include <linux/netfilter_ipv4.h> 13 13 #include <linux/netfilter_bridge.h> 14 14 15 15 + static int nf_reject_iphdr_validate(struct sk_buff *skb) 16 16 + { 17 17 + struct iphdr *iph; 18 18 + u32 len; 19 19 + 20 20 + if (!pskb_may_pull(skb, sizeof(struct iphdr))) 21 21 + return 0; 22 22 + 23 23 + iph = ip_hdr(skb); 24 24 + if (iph->ihl < 5 || iph->version != 4) 25 25 + return 0; 26 26 + 27 27 + len = ntohs(iph->tot_len); 28 28 + if (skb->len < len) 29 29 + return 0; 30 30 + else if (len < (iph->ihl*4)) 31 31 + return 0; 32 32 + 33 33 + if (!pskb_may_pull(skb, iph->ihl*4)) 34 34 + return 0; 35 35 + 36 36 + return 1; 37 37 + } 38 38 + 39 39 + struct sk_buff *nf_reject_skb_v4_tcp_reset(struct net *net, 40 40 + struct sk_buff *oldskb, 41 41 + const struct net_device *dev, 42 42 + int hook) 43 43 + { 44 44 + const struct tcphdr *oth; 45 45 + struct sk_buff *nskb; 46 46 + struct iphdr *niph; 47 47 + struct tcphdr _oth; 48 48 + 49 49 + if (!nf_reject_iphdr_validate(oldskb)) 50 50 + return NULL; 51 51 + 52 52 + oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook); 53 53 + if (!oth) 54 54 + return NULL; 55 55 + 56 56 + nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + 57 57 + LL_MAX_HEADER, GFP_ATOMIC); 58 58 + if (!nskb) 59 59 + return NULL; 60 60 + 61 61 + nskb->dev = (struct net_device *)dev; 62 62 + 63 63 + skb_reserve(nskb, LL_MAX_HEADER); 64 64 + niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP, 65 65 + net->ipv4.sysctl_ip_default_ttl); 66 66 + nf_reject_ip_tcphdr_put(nskb, oldskb, oth); 67 67 + niph->tot_len = htons(nskb->len); 68 68 + ip_send_check(niph); 69 69 + 70 70 + return nskb; 71 71 + } 72 72 + EXPORT_SYMBOL_GPL(nf_reject_skb_v4_tcp_reset); 73 73 + 74 74 + struct sk_buff *nf_reject_skb_v4_unreach(struct net *net, 75 75 + struct sk_buff *oldskb, 76 76 + const struct net_device *dev, 77 77 + int hook, u8 code) 78 78 + { 79 79 + struct sk_buff *nskb; 80 80 + struct iphdr *niph; 81 81 + struct icmphdr *icmph; 82 82 + unsigned int len; 83 83 + __wsum csum; 84 84 + u8 proto; 85 85 + 86 86 + if (!nf_reject_iphdr_validate(oldskb)) 87 87 + return NULL; 88 88 + 89 89 + /* IP header checks: fragment. */ 90 90 + if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) 91 91 + return NULL; 92 92 + 93 93 + /* RFC says return as much as we can without exceeding 576 bytes. */ 94 94 + len = min_t(unsigned int, 536, oldskb->len); 95 95 + 96 96 + if (!pskb_may_pull(oldskb, len)) 97 97 + return NULL; 98 98 + 99 99 + if (pskb_trim_rcsum(oldskb, ntohs(ip_hdr(oldskb)->tot_len))) 100 100 + return NULL; 101 101 + 102 102 + proto = ip_hdr(oldskb)->protocol; 103 103 + 104 104 + if (!skb_csum_unnecessary(oldskb) && 105 105 + nf_reject_verify_csum(proto) && 106 106 + nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), proto)) 107 107 + return NULL; 108 108 + 109 109 + nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr) + 110 110 + LL_MAX_HEADER + len, GFP_ATOMIC); 111 111 + if (!nskb) 112 112 + return NULL; 113 113 + 114 114 + nskb->dev = (struct net_device *)dev; 115 115 + 116 116 + skb_reserve(nskb, LL_MAX_HEADER); 117 117 + niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_ICMP, 118 118 + net->ipv4.sysctl_ip_default_ttl); 119 119 + 120 120 + skb_reset_transport_header(nskb); 121 121 + icmph = skb_put_zero(nskb, sizeof(struct icmphdr)); 122 122 + icmph->type = ICMP_DEST_UNREACH; 123 123 + icmph->code = code; 124 124 + 125 125 + skb_put_data(nskb, skb_network_header(oldskb), len); 126 126 + 127 127 + csum = csum_partial((void *)icmph, len + sizeof(struct icmphdr), 0); 128 128 + icmph->checksum = csum_fold(csum); 129 129 + 130 130 + niph->tot_len = htons(nskb->len); 131 131 + ip_send_check(niph); 132 132 + 133 133 + return nskb; 134 134 + } 135 135 + EXPORT_SYMBOL_GPL(nf_reject_skb_v4_unreach); 136 136 + 15 137 const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb, 16 138 struct tcphdr *_oth, int hook) 17 139 {

+134

net/ipv6/netfilter/nf_reject_ipv6.c

reviewed

··· 12 12 #include <linux/netfilter_ipv6.h> 13 13 #include <linux/netfilter_bridge.h> 14 14 15 15 + static bool nf_reject_v6_csum_ok(struct sk_buff *skb, int hook) 16 16 + { 17 17 + const struct ipv6hdr *ip6h = ipv6_hdr(skb); 18 18 + int thoff; 19 19 + __be16 fo; 20 20 + u8 proto = ip6h->nexthdr; 21 21 + 22 22 + if (skb_csum_unnecessary(skb)) 23 23 + return true; 24 24 + 25 25 + if (ip6h->payload_len && 26 26 + pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h))) 27 27 + return false; 28 28 + 29 29 + ip6h = ipv6_hdr(skb); 30 30 + thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo); 31 31 + if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0) 32 32 + return false; 33 33 + 34 34 + if (!nf_reject_verify_csum(proto)) 35 35 + return true; 36 36 + 37 37 + return nf_ip6_checksum(skb, hook, thoff, proto) == 0; 38 38 + } 39 39 + 40 40 + static int nf_reject_ip6hdr_validate(struct sk_buff *skb) 41 41 + { 42 42 + struct ipv6hdr *hdr; 43 43 + u32 pkt_len; 44 44 + 45 45 + if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) 46 46 + return 0; 47 47 + 48 48 + hdr = ipv6_hdr(skb); 49 49 + if (hdr->version != 6) 50 50 + return 0; 51 51 + 52 52 + pkt_len = ntohs(hdr->payload_len); 53 53 + if (pkt_len + sizeof(struct ipv6hdr) > skb->len) 54 54 + return 0; 55 55 + 56 56 + return 1; 57 57 + } 58 58 + 59 59 + struct sk_buff *nf_reject_skb_v6_tcp_reset(struct net *net, 60 60 + struct sk_buff *oldskb, 61 61 + const struct net_device *dev, 62 62 + int hook) 63 63 + { 64 64 + struct sk_buff *nskb; 65 65 + const struct tcphdr *oth; 66 66 + struct tcphdr _oth; 67 67 + unsigned int otcplen; 68 68 + struct ipv6hdr *nip6h; 69 69 + 70 70 + if (!nf_reject_ip6hdr_validate(oldskb)) 71 71 + return NULL; 72 72 + 73 73 + oth = nf_reject_ip6_tcphdr_get(oldskb, &_oth, &otcplen, hook); 74 74 + if (!oth) 75 75 + return NULL; 76 76 + 77 77 + nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct tcphdr) + 78 78 + LL_MAX_HEADER, GFP_ATOMIC); 79 79 + if (!nskb) 80 80 + return NULL; 81 81 + 82 82 + nskb->dev = (struct net_device *)dev; 83 83 + 84 84 + skb_reserve(nskb, LL_MAX_HEADER); 85 85 + nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP, 86 86 + net->ipv6.devconf_all->hop_limit); 87 87 + nf_reject_ip6_tcphdr_put(nskb, oldskb, oth, otcplen); 88 88 + nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr)); 89 89 + 90 90 + return nskb; 91 91 + } 92 92 + EXPORT_SYMBOL_GPL(nf_reject_skb_v6_tcp_reset); 93 93 + 94 94 + struct sk_buff *nf_reject_skb_v6_unreach(struct net *net, 95 95 + struct sk_buff *oldskb, 96 96 + const struct net_device *dev, 97 97 + int hook, u8 code) 98 98 + { 99 99 + struct sk_buff *nskb; 100 100 + struct ipv6hdr *nip6h; 101 101 + struct icmp6hdr *icmp6h; 102 102 + unsigned int len; 103 103 + 104 104 + if (!nf_reject_ip6hdr_validate(oldskb)) 105 105 + return NULL; 106 106 + 107 107 + /* Include "As much of invoking packet as possible without the ICMPv6 108 108 + * packet exceeding the minimum IPv6 MTU" in the ICMP payload. 109 109 + */ 110 110 + len = min_t(unsigned int, 1220, oldskb->len); 111 111 + 112 112 + if (!pskb_may_pull(oldskb, len)) 113 113 + return NULL; 114 114 + 115 115 + if (!nf_reject_v6_csum_ok(oldskb, hook)) 116 116 + return NULL; 117 117 + 118 118 + nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr) + 119 119 + LL_MAX_HEADER + len, GFP_ATOMIC); 120 120 + if (!nskb) 121 121 + return NULL; 122 122 + 123 123 + nskb->dev = (struct net_device *)dev; 124 124 + 125 125 + skb_reserve(nskb, LL_MAX_HEADER); 126 126 + nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_ICMPV6, 127 127 + net->ipv6.devconf_all->hop_limit); 128 128 + 129 129 + skb_reset_transport_header(nskb); 130 130 + icmp6h = skb_put_zero(nskb, sizeof(struct icmp6hdr)); 131 131 + icmp6h->icmp6_type = ICMPV6_DEST_UNREACH; 132 132 + icmp6h->icmp6_code = code; 133 133 + 134 134 + skb_put_data(nskb, skb_network_header(oldskb), len); 135 135 + nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr)); 136 136 + 137 137 + icmp6h->icmp6_cksum = 138 138 + csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, 139 139 + nskb->len - sizeof(struct ipv6hdr), 140 140 + IPPROTO_ICMPV6, 141 141 + csum_partial(icmp6h, 142 142 + nskb->len - sizeof(struct ipv6hdr), 143 143 + 0)); 144 144 + 145 145 + return nskb; 146 146 + } 147 147 + EXPORT_SYMBOL_GPL(nf_reject_skb_v6_unreach); 148 148 + 15 149 const struct tcphdr *nf_reject_ip6_tcphdr_get(struct sk_buff *oldskb, 16 150 struct tcphdr *otcph, 17 151 unsigned int *otcplen, int hook)