Re: [PATCH net] ipv6/netfilter: Drop Packet Too Big with invalid payload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24.06.2021 11:05, Florian Westphal wrote:
> Georg Kohmann <geokohma@xxxxxxxxx> wrote:
>> PMTU is updated even though received ICMPv6 PTB do not match any
>> transmitted traffic. This breaks TAHI IPv6 Core Conformance Test
>> Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1].
>>
>> Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should
>> appropriately validate the payload of ICMPv6 PTB messages to ensure
>> these are received in response to transmitted traffic (i.e., a reported
>> error condition that corresponds to an IPv6 packet actually sent by the
>> application) per [ICMPv6]."
>>
>> nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of
>> ICMPv6 error packet is not related to an existing connection. Drop PTB
>> packet when this occur. This will prevent ipv6 from handling the packet
>> and update the PMTU.
> This is intentional. We try to not auto-drop packets in conntrack.
>
> Packet is marked as invalid, users can add nft/iptables rules to discard
> such packets if they want to do so.
Ah, dropping patch then, thank you.




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux