aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Leblond <eric@inl.fr>2009-02-09 17:33:20 -0500
committerDavid S. Miller <davem@davemloft.net>2009-02-09 17:33:20 -0500
commit3f9007135c1dc896db9a9e35920aafc65b157230 (patch)
treeff164ddf28a24c7a780393fd91df2dad3e76318b
parenta51f42f3c940e5582c40454ece066d033bc7e24f (diff)
netfilter: nf_conntrack_ipv6: don't track ICMPv6 negotiation message
This patch removes connection tracking handling for ICMPv6 messages related to Stateless Address Autoconfiguration, MLD, and MLDv2. They can not be tracked because they are massively using multicast (on pre-defined address). But they are not invalid and should not be detected as such. Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c21
1 files changed, 21 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 114a92e4258d..c323643ffcf9 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -53,6 +53,17 @@ static const u_int8_t invmap[] = {
53 [ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY +1 53 [ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY +1
54}; 54};
55 55
56static const u_int8_t noct_valid_new[] = {
57 [ICMPV6_MGM_QUERY - 130] = 1,
58 [ICMPV6_MGM_REPORT -130] = 1,
59 [ICMPV6_MGM_REDUCTION - 130] = 1,
60 [NDISC_ROUTER_SOLICITATION - 130] = 1,
61 [NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
62 [NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
63 [NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
64 [ICMPV6_MLD2_REPORT - 130] = 1
65};
66
56static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple, 67static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
57 const struct nf_conntrack_tuple *orig) 68 const struct nf_conntrack_tuple *orig)
58{ 69{
@@ -178,6 +189,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
178{ 189{
179 const struct icmp6hdr *icmp6h; 190 const struct icmp6hdr *icmp6h;
180 struct icmp6hdr _ih; 191 struct icmp6hdr _ih;
192 int type;
181 193
182 icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih); 194 icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
183 if (icmp6h == NULL) { 195 if (icmp6h == NULL) {
@@ -194,6 +206,15 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
194 return -NF_ACCEPT; 206 return -NF_ACCEPT;
195 } 207 }
196 208
209 type = icmp6h->icmp6_type - 130;
210 if (type >= 0 && type < sizeof(noct_valid_new) &&
211 noct_valid_new[type]) {
212 skb->nfct = &nf_conntrack_untracked.ct_general;
213 skb->nfctinfo = IP_CT_NEW;
214 nf_conntrack_get(skb->nfct);
215 return NF_ACCEPT;
216 }
217
197 /* is not error message ? */ 218 /* is not error message ? */
198 if (icmp6h->icmp6_type >= 128) 219 if (icmp6h->icmp6_type >= 128)
199 return NF_ACCEPT; 220 return NF_ACCEPT;