1 files changed, 6 insertions, 4 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 4ab368fa0b8f..f0328c7bc1c9 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -111,7 +111,7 @@ ip6_packet_match(const struct sk_buff *skb,
                 const char *outdev,
                 const struct ip6t_ip6 *ip6info,
                 unsigned int *protoff,
-                 int *fragoff)
+                 int *fragoff, int *hotdrop)
 {
        size_t i;
        unsigned long ret;
@@ -169,9 +169,11 @@ ip6_packet_match(const struct sk_buff *skb,
                unsigned short _frag_off;
                protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
-                if (protohdr < 0)
+                if (protohdr < 0) {
+                        if (_frag_off == 0)
+                                *hotdrop = 1;
                        return 0;
+                }
                *fragoff = _frag_off;
                dprintf("Packet protocol %hi ?= %s%hi.\n",
@@ -290,7 +292,7 @@ ip6t_do_table(struct sk_buff **pskb,
                IP_NF_ASSERT(e);
                IP_NF_ASSERT(back);
                if (ip6_packet_match(*pskb, indev, outdev, &e->ipv6,
-                        &protoff, &offset)) {
+                        &protoff, &offset, &hotdrop)) {
                        struct ip6t_entry_target *t;
                        if (IP6T_MATCH_ITERATE(e, do_match,

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 4ab368fa0b8f..f0328c7bc1c9 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -111,7 +111,7 @@ ip6_packet_match(const struct sk_buff *skb,
111	const char *outdev,	111	const char *outdev,
112	const struct ip6t_ip6 *ip6info,	112	const struct ip6t_ip6 *ip6info,
113	unsigned int *protoff,	113	unsigned int *protoff,
114	int *fragoff)	114	int fragoff, int hotdrop)
115	{	115	{
116	size_t i;	116	size_t i;
117	unsigned long ret;	117	unsigned long ret;
@@ -169,9 +169,11 @@ ip6_packet_match(const struct sk_buff *skb,
169	unsigned short _frag_off;	169	unsigned short _frag_off;
170		170
171	protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);	171	protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
172	if (protohdr < 0)	172	if (protohdr < 0) {
		173	if (_frag_off == 0)
		174	*hotdrop = 1;
173	return 0;	175	return 0;
174		176	}
175	*fragoff = _frag_off;	177	*fragoff = _frag_off;
176		178
177	dprintf("Packet protocol %hi ?= %s%hi.\n",	179	dprintf("Packet protocol %hi ?= %s%hi.\n",
@@ -290,7 +292,7 @@ ip6t_do_table(struct sk_buff **pskb,
290	IP_NF_ASSERT(e);	292	IP_NF_ASSERT(e);
291	IP_NF_ASSERT(back);	293	IP_NF_ASSERT(back);
292	if (ip6_packet_match(*pskb, indev, outdev, &e->ipv6,	294	if (ip6_packet_match(*pskb, indev, outdev, &e->ipv6,
293	&protoff, &offset)) {	295	&protoff, &offset, &hotdrop)) {
294	struct ip6t_entry_target *t;	296	struct ip6t_entry_target *t;
295		297
296	if (IP6T_MATCH_ITERATE(e, do_match,	298	if (IP6T_MATCH_ITERATE(e, do_match,