From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99B46C433E7 for ; Mon, 12 Oct 2020 12:56:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 61F9A21BE5 for ; Mon, 12 Oct 2020 12:56:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730269AbgJLM4a (ORCPT ); Mon, 12 Oct 2020 08:56:30 -0400 Received: from correo.us.es ([193.147.175.20]:50756 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730262AbgJLM4U (ORCPT ); Mon, 12 Oct 2020 08:56:20 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 14FDBD28D1 for ; Mon, 12 Oct 2020 14:56:17 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 07FCDDA722 for ; Mon, 12 Oct 2020 14:56:17 +0200 (CEST) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id ED849DA78D; Mon, 12 Oct 2020 14:56:16 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id F32B2DA72F; Mon, 12 Oct 2020 14:56:14 +0200 (CEST) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Mon, 12 Oct 2020 14:56:14 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from us.es (unknown [90.77.255.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: 1984lsi) by entrada.int (Postfix) with ESMTPSA id C984842EE38F; Mon, 12 Oct 2020 14:56:14 +0200 (CEST) Date: Mon, 12 Oct 2020 14:56:14 +0200 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: Georg Kohmann Cc: netdev@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, kuba@kernel.org, netfilter-devel@vger.kernel.org Subject: Re: [PATCH net] netfilter: Drop fragmented ndisc packets assembled in netfilter Message-ID: <20201012125614.GA27601@salvia> References: <20201012125347.13011-1-geokohma@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20201012125347.13011-1-geokohma@cisco.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Please, Cc: netfilter-devel@vger.kernel.org for your netfilter patches, so patchwork can catch it there too next time. On Mon, Oct 12, 2020 at 02:53:47PM +0200, Georg Kohmann wrote: > Fragmented ndisc packets assembled in netfilter not dropped as specified > in RFC 6980, section 5. This behaviour breaks TAHI IPv6 Core Conformance > Tests v6LC.2.1.22/23, V6LC.2.2.26/27 and V6LC.2.3.18. > > Setting IPSKB_FRAGMENTED flag during reassembly. > > References: commit b800c3b966bc ("ipv6: drop fragmented ndisc packets by > default (RFC 6980)") > Signed-off-by: Georg Kohmann > --- > net/ipv6/netfilter/nf_conntrack_reasm.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c > index fed9666..054d287 100644 > --- a/net/ipv6/netfilter/nf_conntrack_reasm.c > +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c > @@ -355,6 +355,7 @@ static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb, > ipv6_hdr(skb)->payload_len = htons(payload_len); > ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn); > IP6CB(skb)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size; > + IP6CB(skb)->flags |= IP6SKB_FRAGMENTED; > > /* Yes, and fold redundant checksum back. 8) */ > if (skb->ip_summed == CHECKSUM_COMPLETE) > -- > 2.10.2 >