Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



linuxludo@xxxxxxx <linuxludo@xxxxxxx> wrote:
> I would provide you a small patch in order to fix a BUG when GRE over IPv6 is used with netfilter/conntrack module.
> 
> This is my first contribution, not knowing the procedure well, thank you for being aware of this request.

See
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst

In short, the patch should pass 'scripts/checkpatch.pl' and should apply
cleanly with 'git am'.

> Regarding the proposed patch, here is a description of the encountered bug.
> Indeed, when an ip6tables rule dropping traffic due to an invalid packet (aka w/ conntrack module) is placed before a GRE protocol permit rule, the latter is never reached ; the packet is discarded via the previous rule. 
> 
> The proposed patch takes into account both IPv4 and IPv6 in conntrack module for GRE protocol.
> You will find this one at the end of this email.
> 
> I personally tested this, successfully.

If the GRE tracker works fine with ipv6 its best to just remove
the if-clause entirely, we only support ipv4 and ipv6 anyway.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux