Skip to content

Commit

Permalink
netfilter: Drop fragmented ndisc packets assembled in netfilter
Browse files Browse the repository at this point in the history 
Fragmented ndisc packets assembled in netfilter not dropped as specified
in RFC 6980, section 5. This behaviour breaks TAHI IPv6 Core Conformance
Tests v6LC.2.1.22/23, V6LC.2.2.26/27 and V6LC.2.3.18.

Setting IP6SKB_FRAGMENTED flag during reassembly.

References: commit b800c3b ("ipv6: drop fragmented ndisc packets by default (RFC 6980)")
Signed-off-by: Georg Kohmann <geokohma@cisco.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
Georg Kohmann authored and Pablo Neira Ayuso committed Oct 20, 2020
1 parent 4f25434 commit 68f9f9c
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/ipv6/netfilter/nf_conntrack_reasm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,7 @@ static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb,
ipv6_hdr(skb)->payload_len = htons(payload_len);
ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn);
IP6CB(skb)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;

/* Yes, and fold redundant checksum back. 8) */
if (skb->ip_summed == CHECKSUM_COMPLETE)
Expand Down

0 comments on commit 68f9f9c

Please sign in to comment.