Hello,
Christoph Anton Mitterer a écrit :
>
> The idea with dropping the UNTRACKED/INVALID was that such packages are
> probably not good fellows and should stay out...
You should not blindly drop UNTRACKED or INVALID IPv6 packets.
Originally, ICMPv6 types related to NDP (Neighbour Discovery Protocol),
i.e. Router Solicitation and Router Advertisement (used for stateless
autoconfiguration), Neighbour Solicitation and Neighbour Advertisement
(used as a replacement for ARP request and reply), and a few others had
the INVALID state. However these types are required for proper IPv6
operation on ethernet-like links. Since kernel 2.6.29, they are not
tracked any more and have the UNTRACKED state. See the commit below.
commit 3f9007135c1dc896db9a9e35920aafc65b157230
Author: Eric Leblond <eric@xxxxxx>
Date: Mon Feb 9 14:33:20 2009 -0800
netfilter: nf_conntrack_ipv6: don't track ICMPv6 negotiation message
This patch removes connection tracking handling for ICMPv6 messages
related to Stateless Address Autoconfiguration, MLD, and MLDv2. They
can not be tracked because they are massively using multicast (on
pre-defined address). But they are not invalid and should not be
detected as such.
Signed-off-by: Eric Leblond <eric@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
