-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <[EMAIL PROTECTED]>
[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as
ESTABLISHED
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.
The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(un
}
nf_conntrack_get(reasm->nfct);
(*pskb)->nfct = reasm->nfct;
+ (*pskb)->nfctinfo = reasm->nfctinfo;
return NF_ACCEPT;
}
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
