Gitweb:
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dd63006b8fb5abf2336e145632610c6175a28fea
Commit: dd63006b8fb5abf2336e145632610c6175a28fea
Parent: 455921451a176d90c5cfef898f061bb6fc83faaf
Author: Patrick McHardy <[EMAIL PROTECTED]>
AuthorDate: Tue Mar 6 20:24:18 2007 -0800
Committer: David S. Miller <[EMAIL PROTECTED]>
CommitDate: Wed Mar 7 16:08:01 2007 -0800
[NETFILTER]: nf_conntrack_ipv6: fix incorrect classification of IPv6
fragments as ESTABLISHED
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.
The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 6f19c4a..d110245 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
}
nf_conntrack_get(reasm->nfct);
(*pskb)->nfct = reasm->nfct;
+ (*pskb)->nfctinfo = reasm->nfctinfo;
return NF_ACCEPT;
}
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
