From: Eric Leblond <eric@inl.fr>
To: yasuyuki.kozakai@toshiba.co.jp
Cc: kaber@trash.net, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/2] netfilter: don't track ICMPv6 negotiation message.
Date: Thu, 22 Jan 2009 00:49:51 +0100 [thread overview]
Message-ID: <1232581791.16003.49.camel@ice-age> (raw)
In-Reply-To: <1232581431-15130-2-git-send-email-eric@inl.fr>
[-- Attachment #1: Type: text/plain, Size: 2807 bytes --]
Hi,
Oups, sorry, this patch is not clean (indentation change and spacing). I
send an other one in reply to this mail.
Le jeudi 22 janvier 2009 à 00:43 +0100, Eric Leblond a écrit :
> This patch removes connection tracking handling for ICMPv6 messages
> related to autoconfiguration. They can be tracked because they are
> massively using multicast (on pre-defined address). But they are not
> invalid.
>
> Signed-off-by: Eric Leblond <eric@inl.fr>
> ---
> net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 27 +++++++++++++++++++++++-
> 1 files changed, 26 insertions(+), 1 deletions(-)
>
> diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> index 4aa80ba..34548c3 100644
> --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> @@ -54,12 +54,25 @@ static const u_int8_t invmap[] = {
> [ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY +1
> };
>
> +static const u_int8_t noct_valid_new[] = {
> + [ICMPV6_MGM_QUERY - 130] = 1,
> + [ICMPV6_MGM_REPORT -130] = 1,
> + [ICMPV6_MGM_REDUCTION - 130] = 1,
> + [NDISC_ROUTER_SOLICITATION - 130] = 1,
> + [NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
> + [NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
> + [NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
> + [ICMPV6_MLD2_REPORT - 130] = 1
> +};
> +
> static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
> const struct nf_conntrack_tuple *orig)
> {
> int type = orig->dst.u.icmp.type - 128;
> - if (type < 0 || type >= sizeof(invmap) || !invmap[type])
> +
> + if (type < 0 || type >= sizeof(invmap) || !invmap[type]) {
> return false;
> + }
>
> tuple->src.u.icmp.id = orig->src.u.icmp.id;
> tuple->dst.u.icmp.type = invmap[type] - 1;
> @@ -109,6 +122,7 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
> [ICMPV6_ECHO_REQUEST - 128] = 1,
> [ICMPV6_NI_QUERY - 128] = 1
> };
> +
> int type = ct->tuplehash[0].tuple.dst.u.icmp.type - 128;
>
> if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
> @@ -198,6 +212,17 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
> return -NF_ACCEPT;
> }
>
> + /* autoconf message handling */
> + if (nf_ct_icmpv6_autoconf) {
> + int type = icmp6h->icmp6_type - 130;
> + if (type >= 0 && type < sizeof(noct_valid_new)
> + && noct_valid_new[type]) {
> + skb->nfct = &nf_conntrack_untracked.ct_general;
> + skb->nfctinfo = IP_CT_NEW;
> + nf_conntrack_get(skb->nfct);
> + return -NF_ACCEPT;
> + }
> + }
> /* is not error message ? */
> if (icmp6h->icmp6_type >= 128)
> return NF_ACCEPT;
--
Eric Leblond <eric@inl.fr>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/
[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2009-01-21 23:49 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-30 13:52 IPv6 conntrack support for neighbour discovery Marek Szuba
2008-11-04 14:06 ` Patrick McHardy
2008-11-05 4:44 ` Yasuyuki KOZAKAI
[not found] ` <200811050444.mA54i7F8028119@toshiba.co.jp>
2008-11-05 9:50 ` Patrick McHardy
2008-11-05 12:40 ` Marek Szuba
2008-11-05 12:48 ` Patrick McHardy
2008-11-05 13:01 ` Yasuyuki KOZAKAI
[not found] ` <200811050444.mA54i7XU020102@toshiba.co.jp>
2008-11-05 12:35 ` Marek Szuba
2009-01-21 23:41 ` [PATCH 0/2] " Eric Leblond
2009-01-21 23:43 ` [PATCH 1/2] netfilter: use sysctl to choose icmpv6 autoconf behaviour Eric Leblond
2009-01-21 23:43 ` [PATCH 2/2] netfilter: don't track ICMPv6 negotiation message Eric Leblond
2009-01-21 23:49 ` Eric Leblond [this message]
2009-01-21 23:51 ` [Resend PATCH " Eric Leblond
2009-01-23 10:21 ` [PATCH 0/2] IPv6 conntrack support for neighbour discovery Yasuyuki KOZAKAI
2009-01-23 7:40 ` Yasuyuki KOZAKAI
2009-01-23 9:02 ` Eric Leblond
2009-01-23 9:42 ` Jozsef Kadlecsik
2009-01-23 9:50 ` Jozsef Kadlecsik
2009-01-23 10:42 ` Yasuyuki KOZAKAI
[not found] ` <200901231021.n0NALINO007201@toshiba.co.jp>
2009-01-23 10:51 ` Eric Leblond
2009-01-23 11:10 ` Yasuyuki KOZAKAI
2009-01-24 10:32 ` [PATCH] netfilter: don't track ICMPv6 negotiation message Eric Leblond
2009-01-27 10:07 ` Yasuyuki KOZAKAI
[not found] ` <200901231110.n0NBAR7Z000645@toshiba.co.jp>
2009-01-26 13:11 ` [PATCH 0/2] IPv6 conntrack support for neighbour discovery Patrick McHardy
2009-01-27 10:09 ` Yasuyuki KOZAKAI
[not found] ` <200901271009.n0RA9d4I025010@toshiba.co.jp>
2009-01-27 10:14 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1232581791.16003.49.camel@ice-age \
--to=eric@inl.fr \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.