Hi Pablo, On Mon, Mar 13, 2017 at 1:40 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Tue, Mar 07, 2017 at 11:00:43AM +0100, Alin Nastac wrote: >> Extract IPv6 packet that triggered the sending of redirect message from >> ICMPv6 Redirected Header option and check if conntrack table contain such >> connection. Mark redirect packet as RELATED if a matching connection is found. > > I think we need a sysctl to enable this on demand, eg. > 'nf_conntrack_icmpv6_accept_redirects' > > This is changing the default behaviour, my main concern here is that > filtering policies not accepting redirects will now make it via > RELATED. net/ipv4/netfilter/nf_conntrack_proto_icmp.c give RELATED status to all ICMP redirect messages that refer to valid conntracks. Why would ICMPv6 redirect case be any different? Would you implement a similar sysctl switch for ICMP redirect RELATED state? And if you do, would you accept to enable these switches by default? IMHO ICMPv6 redirects were not included in the original nf_conntrack_proto_icmpv6.c due to relative complexity of their format. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
