projects / platform / kernel / linux-rpi.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 10151d7) | patch
netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 9 Sep 2016 10:42:53 +0000 (12:42 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 12 Sep 2016 16:52:32 +0000 (18:52 +0200)
commit71212c9b04eba76faa4dca26ccd1552d6bb300c1
treec94e136ed7989fd72d416cd506bcca99b5549472tree | snapshot
parent10151d7b03e23afce76a59f717f2616a10ddef86commit | diff
netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport

This is overly conservative and not flexible at all, so better let them
go through and let the filtering policy decide what to do with them. We
use skb_header_pointer() all over the place so we would just fail to
match when trying to access fields from malformed traffic.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_tables_ipv6.h diff | blob | history
net/ipv6/netfilter/nf_tables_ipv6.c diff | blob | history
net/ipv6/netfilter/nft_chain_route_ipv6.c diff | blob | history
Domain: System / Kernel;