netfilter: nf_conntrack_ipv6: fix tracking of ICMPv6 error messages containing fragments - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Patrick McHardy <kaber@trash.net>	2012-08-26 21:13:59 +0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-08-30 05:00:11 +0400
commit	2b60af017880f7dc35d1fac65f48fc94f8a3c1ec (patch)
tree	9d31901b188530c740a8b3243580c3bd4de4563a /net/netfilter
parent	4cdd34084d539c758d00c5dc7bf95db2e4f2bc70 (diff)
download	linux-2b60af017880f7dc35d1fac65f48fc94f8a3c1ec.tar.xz

netfilter: nf_conntrack_ipv6: fix tracking of ICMPv6 error messages containing fragments

ICMPv6 error messages are tracked by extracting the conntrack tuple of the inner packet and looking up the corresponding conntrack entry. Tuple extraction uses the ->get_l4proto() callback, which in case of fragments returns NEXTHDR_FRAGMENT instead of the upper protocol, even for the first fragment when the entire next header is present, resulting in a failure to find the correct connection tracking entry. This patch changes ipv6_get_l4proto() to use ipv6_skip_exthdr() instead of nf_ct_ipv6_skip_exthdr() in order to skip fragment headers when the fragment offset is zero. Signed-off-by: Patrick McHardy <kaber@trash.net>

Diffstat (limited to 'net/netfilter')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: