From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 01/03]: nf_conntrack_ipv6: fix incorrect classification of IPv6 fragments as ESTABLISHED
Date: Tue, 6 Mar 2007 08:44:02 +0100 (MET) [thread overview]
Message-ID: <20070306074402.24479.30970.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20070306074400.24479.43171.sendpatchset@localhost.localdomain>
[NETFILTER]: nf_conntrack_ipv6: fix incorrect classification of IPv6 fragments as ESTABLISHED
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.
The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 5bd8638bfa97ebf5ff7765ed06fccd594108e92f
tree 8adea214d03250ab3d1babdcb84706684c550874
parent 393e32c96abe68f7aa2a399b4600dfba8b15a83b
author Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 06:53:14 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 07:15:45 +0100
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 6f19c4a..d110245 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(un
}
nf_conntrack_get(reasm->nfct);
(*pskb)->nfct = reasm->nfct;
+ (*pskb)->nfctinfo = reasm->nfctinfo;
return NF_ACCEPT;
}
next prev parent reply other threads:[~2007-03-06 7:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-06 7:44 [NETFILTER 00/03]: Netfilter fixes Patrick McHardy
2007-03-06 7:44 ` Patrick McHardy [this message]
2007-03-06 7:44 ` [NETFILTER 02/03]: nfnetlink_log: zero-terminate prefix Patrick McHardy
2007-03-06 7:44 ` [NETFILTER 03/03]: nfnetlink_log: fix crash on bridged packet Patrick McHardy
2007-03-07 4:25 ` [NETFILTER 00/03]: Netfilter fixes David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070306074402.24479.30970.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).