On Fri, Jan 12, 2018 at 05:36:27PM -0700, Subash Abhinov Kasiviswanathan wrote: > ipv6_defrag pulls network headers before fragment header. In case of > an error, the netfilter layer is currently dropping these packets. > This results in failure of some IPv6 standards tests which passed on > older kernels due to the netfilter framework using cloning. > > The test case run here is a check for ICMPv6 error message replies > when some invalid IPv6 fragments are sent. This specific test case is > listed in https://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf > in the Extension Header Processing Order section. > > A packet with unrecognized option Type 11 is sent and the test expects > an ICMP error in line with RFC2460 section 4.2 - > > 11 - discard the packet and, only if the packet's Destination > Address was not a multicast address, send an ICMP Parameter > Problem, Code 2, message to the packet's Source Address, > pointing to the unrecognized Option Type. > > Since netfilter layer now drops all invalid IPv6 frag packets, we no > longer see the ICMP error message and fail the test case. > > To fix this, save the transport header . If defrag is unable to process > the packet due to RFC2460, restore the transport header and allow packet > to be processed by stack. There is no change for other packet > processing paths. > > Tested by confirming that stack sends an ICMP error when it receives > these packets. Also tested that fragmented ICMP pings succeed. Applied, thanks Subash. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
