]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
netfilter: nf_conntrack_ipv6: don't track ICMPv6 negotiation message
authorEric Leblond <eric@inl.fr>
Mon, 9 Feb 2009 22:33:20 +0000 (14:33 -0800)
committerDavid S. Miller <davem@davemloft.net>
Mon, 9 Feb 2009 22:33:20 +0000 (14:33 -0800)
This patch removes connection tracking handling for ICMPv6 messages
related to Stateless Address Autoconfiguration, MLD, and MLDv2. They
can not be tracked because they are massively using multicast (on
pre-defined address). But they are not invalid and should not be
detected as such.

Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

index 114a92e4258d104e57c8cf618d532337f602b015..c323643ffcf964214bcffb522c518cb6546bc38c 100644 (file)
@@ -53,6 +53,17 @@ static const u_int8_t invmap[] = {
        [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_QUERY +1
 };
 
+static const u_int8_t noct_valid_new[] = {
+       [ICMPV6_MGM_QUERY - 130] = 1,
+       [ICMPV6_MGM_REPORT -130] = 1,
+       [ICMPV6_MGM_REDUCTION - 130] = 1,
+       [NDISC_ROUTER_SOLICITATION - 130] = 1,
+       [NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
+       [NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
+       [NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
+       [ICMPV6_MLD2_REPORT - 130] = 1
+};
+
 static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
                                const struct nf_conntrack_tuple *orig)
 {
@@ -178,6 +189,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
 {
        const struct icmp6hdr *icmp6h;
        struct icmp6hdr _ih;
+       int type;
 
        icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
        if (icmp6h == NULL) {
@@ -194,6 +206,15 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
                return -NF_ACCEPT;
        }
 
+       type = icmp6h->icmp6_type - 130;
+       if (type >= 0 && type < sizeof(noct_valid_new) &&
+           noct_valid_new[type]) {
+               skb->nfct = &nf_conntrack_untracked.ct_general;
+               skb->nfctinfo = IP_CT_NEW;
+               nf_conntrack_get(skb->nfct);
+               return NF_ACCEPT;
+       }
+
        /* is not error message ? */
        if (icmp6h->icmp6_type >= 128)
                return NF_ACCEPT;