Jiri Pirko <jiri@xxxxxxxxxxx> wrote: > This patch fixes for example following situation: > On HOSTA do: > ip6tables -I INPUT -p icmpv6 -j DROP > ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT untested: -A INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT -A INPUT -p icmpv6 -m conntrack --ctstatus CONFIRMED -j ACCEPT -A INPUT -p icmpv6 -j DROP > and on HOSTB you do: > ping6 HOSTA -s2000 (MTU is 1500) > > Incoming echo requests will be filtered out on HOSTA. This issue does > not occur with smaller packets than MTU (where fragmentation does not happen). Patrick, any reason not to kill the special-casing (ct has assigned helper or unconfirmed conntrack) in __ipv6_conntrack_in() ? This should make ipv6 frag behaviour consistent; right now its rather confusing from ruleset point of view, especially the first packet of a connection is always seen as reassembled. So with Jiris rules -A INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT -A INPUT -p icmpv6 -j DROP ping6 -s $bignum works for the first packet but not for subsequent ones which is quite irritating. This change would obviously have userspace visibility (e.g. -m frag won't work anymore when conntrack is on), but so far I couldn't come up with a scenario where a legitimate ruleset could break. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
