Commit 3f900713 authored by Eric Leblond's avatar Eric Leblond Committed by David S. Miller

netfilter: nf_conntrack_ipv6: don't track ICMPv6 negotiation message

This patch removes connection tracking handling for ICMPv6 messages
related to Stateless Address Autoconfiguration, MLD, and MLDv2. They
can not be tracked because they are massively using multicast (on
pre-defined address). But they are not invalid and should not be
detected as such.
Signed-off-by: default avatarEric Leblond <eric@inl.fr>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a51f42f3
...@@ -53,6 +53,17 @@ static const u_int8_t invmap[] = { ...@@ -53,6 +53,17 @@ static const u_int8_t invmap[] = {
[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY +1 [ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY +1
}; };
static const u_int8_t noct_valid_new[] = {
[ICMPV6_MGM_QUERY - 130] = 1,
[ICMPV6_MGM_REPORT -130] = 1,
[ICMPV6_MGM_REDUCTION - 130] = 1,
[NDISC_ROUTER_SOLICITATION - 130] = 1,
[NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
[NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
[NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
[ICMPV6_MLD2_REPORT - 130] = 1
};
static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple, static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_tuple *orig) const struct nf_conntrack_tuple *orig)
{ {
...@@ -178,6 +189,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, ...@@ -178,6 +189,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
{ {
const struct icmp6hdr *icmp6h; const struct icmp6hdr *icmp6h;
struct icmp6hdr _ih; struct icmp6hdr _ih;
int type;
icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih); icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
if (icmp6h == NULL) { if (icmp6h == NULL) {
...@@ -194,6 +206,15 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, ...@@ -194,6 +206,15 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
return -NF_ACCEPT; return -NF_ACCEPT;
} }
type = icmp6h->icmp6_type - 130;
if (type >= 0 && type < sizeof(noct_valid_new) &&
noct_valid_new[type]) {
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
return NF_ACCEPT;
}
/* is not error message ? */ /* is not error message ? */
if (icmp6h->icmp6_type >= 128) if (icmp6h->icmp6_type >= 128)
return NF_ACCEPT; return NF_ACCEPT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment