On Wed, Nov 23, 2022 at 01:16:39PM +0100, Florian Westphal wrote: > icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not > do this. > > For icmpv6, only icmp errors (code <= 128) are examined for RELATED state. > ICMPV6 Redirects are part of neighbour discovery mechanism, those are > handled by marking a selected subset (e.g. neighbour solicitations) as > UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID. > > Add minimal support for REDIRECTs. No parsing of neighbour options is > added for simplicity, so this will only check that we have the embeeded > original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow > lookup for this tuple. > > Also extend the existing test case to cover redirects. > > Reported-by: Eric Garver <eric@xxxxxxxxxxx> > Link: https://github.com/firewalld/firewalld/issues/1046 > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > v2: fix up comment typo and reformat commit message. No other changes. > > net/netfilter/nf_conntrack_proto_icmpv6.c | 53 +++++++++++++++++++ > .../netfilter/conntrack_icmp_related.sh | 36 ++++++++++++- > 2 files changed, 87 insertions(+), 2 deletions(-) Thanks Florian! Acked-by: Eric Garver <eric@xxxxxxxxxxx>
