在 2023/2/14 16:19, Wang Hai 写道:
在 2022/12/11 18:11, Pablo Neira Ayuso 写道:
From: Florian Westphal <fw@xxxxxxxxx>
icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not
do this.
For icmpv6, only icmp errors (code <= 128) are examined for RELATED
state.
ICMPV6 Redirects are part of neighbour discovery mechanism, those are
handled by marking a selected subset (e.g. neighbour solicitations) as
UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID.
Add minimal support for REDIRECTs. No parsing of neighbour options is
added for simplicity, so this will only check that we have the embeeded
original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow
lookup for this tuple.
Also extend the existing test case to cover redirects.
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Reported-by: Eric Garver <eric@xxxxxxxxxxx>
Link: https://github.com/firewalld/firewalld/issues/1046
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Acked-by: Eric Garver <eric@xxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/nf_conntrack_proto_icmpv6.c | 53 +++++++++++++++++++
.../netfilter/conntrack_icmp_related.sh | 36 ++++++++++++-
2 files changed, 87 insertions(+), 2 deletions(-)
Hi, Florian.
The new ipv4 redirects test case doesn't seem to work, is there a
problem with my testing steps?
# sh tools/testing/selftests/netfilter/conntrack_icmp_related.sh
PASS: icmp mtu error had RELATED state
ERROR: counter redir4 in nsclient1 has unexpected value (expected
packets 1 bytes 112)
table inet filter {
counter redir4 {
packets 0 bytes 0
}
}
ERROR: icmp redirect RELATED state test has failed.
The test is based on commit f6feea56f66d ("Merge tag
'mm-hotfixes-stable-2023-02-13-13-50' of
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm")
Hi, Florian.
I found the reason why it failed. This needs to be configured on the
host with net.ipv4.conf.default.send_redirects=1.
Sorry to bother you.
--
Wang Hai
