Currently, when ipv6 fragment goes through the netfilter, match functions are called on them directly. This might cause match function to fail. So benefit from the fact that nf_defrag_ipv6 constructs reassembled skb for us and use this reassembled skb for matching. This patch fixes for example following situation: On HOSTA do: ip6tables -I INPUT -p icmpv6 -j DROP ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT and on HOSTB you do: ping6 HOSTA -s2000 (MTU is 1500) Incoming echo requests will be filtered out on HOSTA. This issue does not occur with smaller packets than MTU (where fragmentation does not happen). Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx> --- net/ipv6/netfilter/ip6_tables.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 710238f..ec9cb1a 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -328,6 +328,10 @@ ip6t_do_table(struct sk_buff *skb, const struct xt_table_info *private; struct xt_action_param acpar; unsigned int addend; + struct sk_buff *reasm = skb_nfct_reasm(skb); + + if (!reasm) + reasm = skb; /* Initialization */ indev = in ? in->name : nulldevname; @@ -368,7 +372,7 @@ ip6t_do_table(struct sk_buff *skb, IP_NF_ASSERT(e); acpar.thoff = 0; - if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, + if (!ip6_packet_match(reasm, indev, outdev, &e->ipv6, &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) { no_match: e = ip6t_next_entry(e); @@ -378,7 +382,7 @@ ip6t_do_table(struct sk_buff *skb, xt_ematch_foreach(ematch, e) { acpar.match = ematch->u.kernel.match; acpar.matchinfo = ematch->data; - if (!acpar.match->match(skb, &acpar)) + if (!acpar.match->match(reasm, &acpar)) goto no_match; } -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html