Re: [PATCH] netfilter: don't track ICMPv6 negotiation message.

Yasuyuki KOZAKAI <yasuyuki.kozakai@xxxxxxxxxxxxx> · Tue, 27 Jan 2009 19:07:08 +0900 (JST)

Can you s/autoconfiguration/Stateless Address Autoconfiguration, MLD, and MLDv2/
in commit log ?

Others are fine to me.

-- Yasuyuki Kozakai

From: Eric Leblond <eric@xxxxxx>
Date: Sat, 24 Jan 2009 11:32:58 +0100

> This patch removes connection tracking handling for ICMPv6 messages
> related to autoconfiguration. They can be tracked because they are
> massively using multicast (on pre-defined address). But they are not
> invalid.
> 
> Signed-off-by: Eric Leblond <eric@xxxxxx>
> ---
>  net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |   21 +++++++++++++++++++++
>  1 files changed, 21 insertions(+), 0 deletions(-)
> 
> diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> index 6f859c1..94ace19 100644
> --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> @@ -53,6 +53,17 @@ static const u_int8_t invmap[] = {
>  	[ICMPV6_NI_REPLY - 128]		= ICMPV6_NI_QUERY +1
>  };
>  
> +static const u_int8_t noct_valid_new[] = {
> +	[ICMPV6_MGM_QUERY - 130] = 1,
> +	[ICMPV6_MGM_REPORT -130] = 1,
> +	[ICMPV6_MGM_REDUCTION - 130] = 1,
> +	[NDISC_ROUTER_SOLICITATION - 130] = 1,
> +	[NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
> +	[NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
> +	[NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
> +	[ICMPV6_MLD2_REPORT - 130] = 1
> +};
> +
>  static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
>  				const struct nf_conntrack_tuple *orig)
>  {
> @@ -182,6 +193,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
>  {
>  	const struct icmp6hdr *icmp6h;
>  	struct icmp6hdr _ih;
> +	int type;
>  
>  	icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
>  	if (icmp6h == NULL) {
> @@ -199,6 +211,15 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
>  		return -NF_ACCEPT;
>  	}
>  
> +	type = icmp6h->icmp6_type - 130;
> +	if (type >= 0 && type < sizeof(noct_valid_new)
> +	    && noct_valid_new[type]) {
> +		skb->nfct = &nf_conntrack_untracked.ct_general;
> +		skb->nfctinfo = IP_CT_NEW;
> +		nf_conntrack_get(skb->nfct);
> +		return NF_ACCEPT;
> +	}
> +
>  	/* is not error message ? */
>  	if (icmp6h->icmp6_type >= 128)
>  		return NF_ACCEPT;
> -- 
> 1.5.6.3
> 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html