git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 22 Nov 2022 15:00:09 +0000 (16:00 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 18 Jan 2023 10:41:08 +0000 (11:41 +0100)
commit	1d67d3c2a661de0ff3fa56e4828c09dc438931ff
tree	32f704d9973bcfae028b8d5bbde94e88a9114da7	tree \| snapshot
parent	25ff94d5a2c870d7daee4416459a8bbb8e401ecd	commit \| diff

netfilter: conntrack: set icmpv6 redirects as RELATED

[ Upstream commit 7d7cfb48d81353e826493d24c7cec7360950968f ]

icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not
do this.

For icmpv6, only icmp errors (code <= 128) are examined for RELATED state.
ICMPV6 Redirects are part of neighbour discovery mechanism, those are
handled by marking a selected subset (e.g. neighbour solicitations) as
UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID.

Add minimal support for REDIRECTs. No parsing of neighbour options is
added for simplicity, so this will only check that we have the embeeded
original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow
lookup for this tuple.

Also extend the existing test case to cover redirects.

Fixes: b0bbff62ec62 ("[NETFILTER]: Add nf_conntrack subsystem.")
Reported-by: Eric Garver <eric@garver.life>
Link: https://github.com/firewalld/firewalld/issues/1046
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/netfilter/nf_conntrack_proto_icmpv6.c		diff \| blob \| history
tools/testing/selftests/netfilter/conntrack_icmp_related.sh		diff \| blob \| history