summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorGeorg Kohmann <geokohma@cisco.com>2020-10-13 14:23:12 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2020-10-20 13:54:53 +0200
commit68f9f9c2c3b6a7259f6a92bc26cdc7bd22e7a982 (patch)
tree3a2457acc9eb577d7ffa6c11ab3cc1a173441acb /net
parent4f25434bccc28cf8a07876ef5142a2869a674353 (diff)
downloadlinux-68f9f9c2c3b6a7259f6a92bc26cdc7bd22e7a982.tar.gz
linux-68f9f9c2c3b6a7259f6a92bc26cdc7bd22e7a982.tar.bz2
linux-68f9f9c2c3b6a7259f6a92bc26cdc7bd22e7a982.zip
netfilter: Drop fragmented ndisc packets assembled in netfilter
Fragmented ndisc packets assembled in netfilter not dropped as specified in RFC 6980, section 5. This behaviour breaks TAHI IPv6 Core Conformance Tests v6LC.2.1.22/23, V6LC.2.2.26/27 and V6LC.2.3.18. Setting IP6SKB_FRAGMENTED flag during reassembly. References: commit b800c3b966bc ("ipv6: drop fragmented ndisc packets by default (RFC 6980)") Signed-off-by: Georg Kohmann <geokohma@cisco.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index fed9666a2f7d..054d287eb13d 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -355,6 +355,7 @@ static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb,
ipv6_hdr(skb)->payload_len = htons(payload_len);
ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn);
IP6CB(skb)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
+ IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
/* Yes, and fold redundant checksum back. 8) */
if (skb->ip_summed == CHECKSUM_COMPLETE)