Dear,
I would provide you a small patch in order to fix a BUG when GRE over IPv6 is used with netfilter/conntrack module.
This is my first contribution, not knowing the procedure well, thank you for being aware of this request.
Regarding the proposed patch, here is a description of the encountered bug.
Indeed, when an ip6tables rule dropping traffic due to an invalid packet (aka w/ conntrack module) is placed before a GRE protocol permit rule, the latter is never reached ; the packet is discarded via the previous rule.
The proposed patch takes into account both IPv4 and IPv6 in conntrack module for GRE protocol.
You will find this one at the end of this email.
I personally tested this, successfully.
By making a contribution to this project, I certify that:
a. The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
b. The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
c. The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
d. I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.
Signed-off-by: ludovic senecaux <linuxludo@xxxxxxx>
Thanks for your reply,
Regards,
---
Here is the patch:
--- nf_conntrack_proto_gre.c.orig 2021-03-03 05:03:37.034665100 -0500
+++ nf_conntrack_proto_gre.c 2021-03-02 17:42:53.000000000 -0500
@@ -219,7 +219,7 @@ int nf_conntrack_gre_packet(struct nf_co
enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state)
{
- if (state->pf != NFPROTO_IPV4)
+ if (state->pf != NFPROTO_IPV4 && state->pf != NFPROTO_IPV6)
return -NF_ACCEPT;
if (!nf_ct_is_confirmed(ct)) {
