From: Phil Oester <kernel@linuxace.com>
Date: Wed, 26 Jun 2013 21:16:28 +0000 (-0400)
Subject: netfilter: ip[6]t_REJECT: tcp-reset using wrong MAC source if bridged
X-Git-Tag: v3.12-rc1~132^2~167^2~7
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=affe759dbaa9e6c08b0da0a11d1933b61f199f51;p=pandora-kernel.git

netfilter: ip[6]t_REJECT: tcp-reset using wrong MAC source if bridged

As reported by Casper Gripenberg, in a bridged setup, using ip[6]t_REJECT
with the tcp-reset option sends out reset packets with the src MAC address
of the local bridge interface, instead of the MAC address of the intended
destination.  This causes some routers/firewalls to drop the reset packet
as it appears to be spoofed.  Fix this by bypassing ip[6]_local_out and
setting the MAC of the sender in the tcp reset packet.

This closes netfilter bugzilla #531.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

Reading git-diff-tree failed