On Wed, Nov 23, 2022 at 01:16:39PM +0100, Florian Westphal wrote: > icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not > do this. > > For icmpv6, only icmp errors (code <= 128) are examined for RELATED state. > ICMPV6 Redirects are part of neighbour discovery mechanism, those are > handled by marking a selected subset (e.g. neighbour solicitations) as > UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID. > > Add minimal support for REDIRECTs. No parsing of neighbour options is > added for simplicity, so this will only check that we have the embeeded > original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow > lookup for this tuple. > > Also extend the existing test case to cover redirects. Applied to nf-next, thanks.
