1 files changed, 21 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 114a92e4258d..c323643ffcf9 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -53,6 +53,17 @@ static const u_int8_t invmap[] = {
        [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_QUERY +1
 };
+static const u_int8_t noct_valid_new[] = {
+        [ICMPV6_MGM_QUERY - 130] = 1,
+        [ICMPV6_MGM_REPORT -130] = 1,
+        [ICMPV6_MGM_REDUCTION - 130] = 1,
+        [NDISC_ROUTER_SOLICITATION - 130] = 1,
+        [NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
+        [NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
+        [NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
+        [ICMPV6_MLD2_REPORT - 130] = 1
+};
 static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
                                const struct nf_conntrack_tuple *orig)
 {
@@ -178,6 +189,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
 {
        const struct icmp6hdr *icmp6h;
        struct icmp6hdr _ih;
+        int type;
        icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
        if (icmp6h == NULL) {
@@ -194,6 +206,15 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
                return -NF_ACCEPT;
        }
+        type = icmp6h->icmp6_type - 130;
+        if (type >= 0 && type < sizeof(noct_valid_new) &&
+            noct_valid_new[type]) {
+                skb->nfct = &nf_conntrack_untracked.ct_general;
+                skb->nfctinfo = IP_CT_NEW;
+                nf_conntrack_get(skb->nfct);
+                return NF_ACCEPT;
+        }
        /* is not error message ? */
        if (icmp6h->icmp6_type >= 128)
                return NF_ACCEPT;

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index 114a92e4258d..c323643ffcf9 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -53,6 +53,17 @@ static const u_int8_t invmap[] = {
53	[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY +1	53	[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY +1
54	};	54	};
55		55
		56	static const u_int8_t noct_valid_new[] = {
		57	[ICMPV6_MGM_QUERY - 130] = 1,
		58	[ICMPV6_MGM_REPORT -130] = 1,
		59	[ICMPV6_MGM_REDUCTION - 130] = 1,
		60	[NDISC_ROUTER_SOLICITATION - 130] = 1,
		61	[NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
		62	[NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
		63	[NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
		64	[ICMPV6_MLD2_REPORT - 130] = 1
		65	};
		66
56	static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,	67	static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
57	const struct nf_conntrack_tuple *orig)	68	const struct nf_conntrack_tuple *orig)
58	{	69	{
@@ -178,6 +189,7 @@ icmpv6_error(struct net net, struct sk_buff skb, unsigned int dataoff,
178	{	189	{
179	const struct icmp6hdr *icmp6h;	190	const struct icmp6hdr *icmp6h;
180	struct icmp6hdr _ih;	191	struct icmp6hdr _ih;
		192	int type;
181		193
182	icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);	194	icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
183	if (icmp6h == NULL) {	195	if (icmp6h == NULL) {
@@ -194,6 +206,15 @@ icmpv6_error(struct net net, struct sk_buff skb, unsigned int dataoff,
194	return -NF_ACCEPT;	206	return -NF_ACCEPT;
195	}	207	}
196		208
		209	type = icmp6h->icmp6_type - 130;
		210	if (type >= 0 && type < sizeof(noct_valid_new) &&
		211	noct_valid_new[type]) {
		212	skb->nfct = &nf_conntrack_untracked.ct_general;
		213	skb->nfctinfo = IP_CT_NEW;
		214	nf_conntrack_get(skb->nfct);
		215	return NF_ACCEPT;
		216	}
		217
197	/* is not error message ? */	218	/* is not error message ? */
198	if (icmp6h->icmp6_type >= 128)	219	if (icmp6h->icmp6_type >= 128)
199	return NF_ACCEPT;	220	return NF_ACCEPT;