summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'tags/2.6.18-11/30002_nf_conntrack-set-nfctinfo.patch')
-rw-r--r--tags/2.6.18-11/30002_nf_conntrack-set-nfctinfo.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/tags/2.6.18-11/30002_nf_conntrack-set-nfctinfo.patch b/tags/2.6.18-11/30002_nf_conntrack-set-nfctinfo.patch
new file mode 100644
index 0000000..f540a67
--- /dev/null
+++ b/tags/2.6.18-11/30002_nf_conntrack-set-nfctinfo.patch
@@ -0,0 +1,35 @@
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100)
+Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+X-Git-Tag: v2.6.20.3~11
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
+
+nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+The individual fragments of a packet reassembled by conntrack have the
+conntrack reference from the reassembled packet attached, but nfctinfo
+is not copied. This leaves it initialized to 0, which unfortunately is
+the value of IP_CT_ESTABLISHED.
+
+The result is that all IPv6 fragments are tracked as ESTABLISHED,
+allowing them to bypass a usual ruleset which accepts ESTABLISHED
+packets early.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index a20615f..6155b80 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+ }
+ nf_conntrack_get(reasm->nfct);
+ (*pskb)->nfct = reasm->nfct;
++ (*pskb)->nfctinfo = reasm->nfctinfo;
+ return NF_ACCEPT;
+ }
+