* IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks @ 2003-11-22 9:03 Harald Welte 2003-11-23 23:43 ` David S. Miller 0 siblings, 1 reply; 4+ messages in thread From: Harald Welte @ 2003-11-22 9:03 UTC (permalink / raw) To: netdev; +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 901 bytes --] Hi! At least to me it was not known (until very recently) that the IPv6 multicast code in net/ipv6/mcast.c bypasses the netfilter hooks - but it does. I don't have the time to work on this right now, just wanted to drop a note to netdev that people are aware of this issue. This basically means that you cannot do packet filtering with ip6tables on outgoing MLD packets. If anyone wants to write a patch before I get the time: Feel free to do so. Dave: I think this would be post 2.6.0 stuff, wouldn't it? -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks 2003-11-22 9:03 IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks Harald Welte @ 2003-11-23 23:43 ` David S. Miller 2003-12-04 9:01 ` [PATCH 2.4.x] " Harald Welte 0 siblings, 1 reply; 4+ messages in thread From: David S. Miller @ 2003-11-23 23:43 UTC (permalink / raw) To: Harald Welte; +Cc: netdev, netfilter-devel On Sat, 22 Nov 2003 10:03:30 +0100 Harald Welte <laforge@netfilter.org> wrote: > At least to me it was not known (until very recently) that the IPv6 > multicast code in net/ipv6/mcast.c bypasses the netfilter hooks - but it > does. ... > Dave: I think this would be post 2.6.0 stuff, wouldn't it? If the fix is simple enough (1 or 2 one-liner changes) and easy to verify, I would consider it for 2.6.0 I may even look into this myself. Thanks Harald. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 2.4.x] IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks 2003-11-23 23:43 ` David S. Miller @ 2003-12-04 9:01 ` Harald Welte 2003-12-04 18:37 ` David S. Miller 0 siblings, 1 reply; 4+ messages in thread From: Harald Welte @ 2003-12-04 9:01 UTC (permalink / raw) To: David S. Miller; +Cc: netdev, netfilter-devel [-- Attachment #1: Type: text/plain, Size: 2492 bytes --] On Sun, Nov 23, 2003 at 03:43:22PM -0800, David S. Miller wrote: > If the fix is simple enough (1 or 2 one-liner changes) and easy > to verify, I would consider it for 2.6.0 > > I may even look into this myself. Now that the other Dave's fix has made it in 2.6.0-test11, I have merged it (untested, but compiles) with 2.4.x. Dave, would you consider applying this to to 2.4.x ? Thanks. Greetings (still from India), Harald. --- linux.old/net/ipv6/mcast.c 2003-11-28 23:55:59.000000000 +0530 +++ linux/net/ipv6/mcast.c 2003-12-04 14:21:42.000000000 +0530 @@ -45,6 +45,9 @@ #include <linux/init.h> #include <linux/proc_fs.h> +#include <linux/netfilter.h> +#include <linux/netfilter_ipv6.h> + #include <net/sock.h> #include <net/snmp.h> @@ -1262,7 +1265,7 @@ { struct ipv6hdr *pip6 = skb->nh.ipv6h; struct mld2_report *pmr = (struct mld2_report *)skb->h.raw; - int payload_len, mldlen; + int payload_len, mldlen, err; payload_len = skb->tail - (unsigned char *)skb->nh.ipv6h - sizeof(struct ipv6hdr); @@ -1271,8 +1274,10 @@ pmr->csum = csum_ipv6_magic(&pip6->saddr, &pip6->daddr, mldlen, IPPROTO_ICMPV6, csum_partial(skb->h.raw, mldlen, 0)); - dev_queue_xmit(skb); - ICMP6_INC_STATS(Icmp6OutMsgs); + err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev, + dev_queue_xmit); + if (!err) + ICMP6_INC_STATS(Icmp6OutMsgs); } static int grec_size(struct ifmcaddr6 *pmc, int type, int gdel, int sdel) @@ -1596,12 +1601,16 @@ IPPROTO_ICMPV6, csum_partial((__u8 *) hdr, len, 0)); - dev_queue_xmit(skb); - if (type == ICMPV6_MGM_REDUCTION) - ICMP6_INC_STATS(Icmp6OutGroupMembReductions); - else - ICMP6_INC_STATS(Icmp6OutGroupMembResponses); - ICMP6_INC_STATS(Icmp6OutMsgs); + err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev, + dev_queue_xmit); + if (!err) { + if (type == ICMPV6_MGM_REDUCTION) + ICMP6_INC_STATS(Icmp6OutGroupMembReductions); + else + ICMP6_INC_STATS(Icmp6OutGroupMembResponses); + ICMP6_INC_STATS(Icmp6OutMsgs); + } + return; out: -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2.4.x] IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks 2003-12-04 9:01 ` [PATCH 2.4.x] " Harald Welte @ 2003-12-04 18:37 ` David S. Miller 0 siblings, 0 replies; 4+ messages in thread From: David S. Miller @ 2003-12-04 18:37 UTC (permalink / raw) To: Harald Welte; +Cc: netdev, netfilter-devel On Thu, 4 Dec 2003 14:31:21 +0530 Harald Welte <laforge@netfilter.org> wrote: > Now that the other Dave's fix has made it in 2.6.0-test11, I have merged > it (untested, but compiles) with 2.4.x. > > Dave, would you consider applying this to to 2.4.x ? Done, thanks for catching this Harald. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-12-04 18:37 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-11-22 9:03 IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks Harald Welte 2003-11-23 23:43 ` David S. Miller 2003-12-04 9:01 ` [PATCH 2.4.x] " Harald Welte 2003-12-04 18:37 ` David S. Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).