Hi Pablo,
As it was discussed, at the moment conntrack handles invalid packets
differently: IPv6 conntrack marks the packets as INVALID and lets
the user to drop them by an explicit rule, while IPv4 conntrack
simply drops such packets.
The next two patches bring conntrack in sync by changing IPv4 conntrack
behaviour to follow IPv6 conntrack. Invalid packet logging support is
also added.
The patches are follow-up of the second version of the patch I sent on
Tuesday, with the cover letter subject "Drop malformed IPv4 packets in
conntrack, 2nd try".
Best regards,
Jozsef
Jozsef Kadlecsik (2):
net: netfilter: prepare conntrack for consistent invalid packet
handling
net: netfilter: handle invalid packets consistently in conntrack
include/net/netfilter/nf_conntrack.h | 3 +-
include/net/netfilter/nf_conntrack_l3proto.h | 5 ++-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 29 ++++++++++++++++-------
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 11 ++++++--
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 2 +-
net/netfilter/nf_conntrack_core.c | 9 ++++---
net/netfilter/nf_conntrack_l3proto_generic.c | 3 +-
net/netfilter/xt_connlimit.c | 2 +-
9 files changed, 43 insertions(+), 23 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
