aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-03-06 23:24:18 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2007-03-07 19:08:01 -0500
commitdd63006b8fb5abf2336e145632610c6175a28fea (patch)
treef409f238d52ffe981061d6a26176841e1fc50fb3
parent455921451a176d90c5cfef898f061bb6fc83faaf (diff)
[NETFILTER]: nf_conntrack_ipv6: fix incorrect classification of IPv6 fragments as ESTABLISHED
The individual fragments of a packet reassembled by conntrack have the conntrack reference from the reassembled packet attached, but nfctinfo is not copied. This leaves it initialized to 0, which unfortunately is the value of IP_CT_ESTABLISHED. The result is that all IPv6 fragments are tracked as ESTABLISHED, allowing them to bypass a usual ruleset which accepts ESTABLISHED packets early. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 6f19c4a49560..d1102455668d 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
257 } 257 }
258 nf_conntrack_get(reasm->nfct); 258 nf_conntrack_get(reasm->nfct);
259 (*pskb)->nfct = reasm->nfct; 259 (*pskb)->nfct = reasm->nfct;
260 (*pskb)->nfctinfo = reasm->nfctinfo;
260 return NF_ACCEPT; 261 return NF_ACCEPT;
261 } 262 }
262 263