From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 44/47] netfilter: conntrack: don't log "invalid" icmpv6 connections
Date: Mon, 4 Sep 2017 00:42:51 +0200 [thread overview]
Message-ID: <1504478574-13281-9-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1504478574-13281-1-git-send-email-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
When enabling logging for invalid connections we currently also log most
icmpv6 types, which we don't track intentionally (e.g. neigh discovery).
"invalid" should really mean "invalid", i.e. short header or bad checksum.
We don't do any logging for icmp(v4) either, its just useless noise.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 808f63e2e1ff..43544b975eae 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -121,11 +121,6 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
pr_debug("icmpv6: can't create new conn with type %u\n",
type + 128);
nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
- if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
- nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
- NULL, NULL,
- "nf_ct_icmpv6: invalid new with type %d ",
- type + 128);
return false;
}
return true;
--
2.1.4
next prev parent reply other threads:[~2017-09-03 22:42 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-03 22:42 [PATCH 36/47] netfilter: conntrack: place print_tuple in procfs part Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 37/47] netfilter: conntrack: print_conntrack only needed if CONFIG_NF_CONNTRACK_PROCFS Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 38/47] netfilter: conntrack: make protocol tracker pointers const Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 39/47] netfilter: ebtables: fix indent on if statements Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 40/47] netfilter: fix a few (harmless) sparse warnings Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 41/47] netfilter: convert hook list to an array Pablo Neira Ayuso
2017-10-08 15:07 ` Tariq Toukan
2017-10-09 9:31 ` Florian Westphal
2017-10-09 10:04 ` Tariq Toukan
2017-09-03 22:42 ` [PATCH 42/47] netfilter: debug: check for sorted array Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 43/47] netfilter: core: batch nf_unregister_net_hooks synchronize_net calls Pablo Neira Ayuso
2017-09-03 22:42 ` Pablo Neira Ayuso [this message]
2017-09-03 22:42 ` [PATCH 45/47] netfilter: Remove NFDEBUG() Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1504478574-13281-9-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).