diff options
| author |   Patrick McHardy <kaber@trash.net> | 2012-08-26 19:13:59 +0200 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-30 03:00:11 +0200 |
| commit | 2b60af017880f7dc35d1fac65f48fc94f8a3c1ec (patch) | |
| tree | 9d31901b188530c740a8b3243580c3bd4de4563a /net/netfilter/nf_conntrack_irc.c | |
| parent | netfilter: nf_conntrack_ipv6: improve fragmentation handling (diff) | |
| download | linux-dev-2b60af017880f7dc35d1fac65f48fc94f8a3c1ec.tar.xz linux-dev-2b60af017880f7dc35d1fac65f48fc94f8a3c1ec.zip | |
netfilter: nf_conntrack_ipv6: fix tracking of ICMPv6 error messages containing fragments
ICMPv6 error messages are tracked by extracting the conntrack tuple of
the inner packet and looking up the corresponding conntrack entry. Tuple
extraction uses the ->get_l4proto() callback, which in case of fragments
returns NEXTHDR_FRAGMENT instead of the upper protocol, even for the
first fragment when the entire next header is present, resulting in a
failure to find the correct connection tracking entry.
This patch changes ipv6_get_l4proto() to use ipv6_skip_exthdr() instead
of nf_ct_ipv6_skip_exthdr() in order to skip fragment headers when the
fragment offset is zero.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter/nf_conntrack_irc.c')
0 files changed, 0 insertions, 0 deletions