2b60af0178
ICMPv6 error messages are tracked by extracting the conntrack tuple of the inner packet and looking up the corresponding conntrack entry. Tuple extraction uses the ->get_l4proto() callback, which in case of fragments returns NEXTHDR_FRAGMENT instead of the upper protocol, even for the first fragment when the entire next header is present, resulting in a failure to find the correct connection tracking entry. This patch changes ipv6_get_l4proto() to use ipv6_skip_exthdr() instead of nf_ct_ipv6_skip_exthdr() in order to skip fragment headers when the fragment offset is zero. Signed-off-by: Patrick McHardy <kaber@trash.net> |
||
|---|---|---|
| .. | ||
| ip6_tables.c | ||
| ip6t_ah.c | ||
| ip6t_eui64.c | ||
| ip6t_frag.c | ||
| ip6t_hbh.c | ||
| ip6t_ipv6header.c | ||
| ip6t_mh.c | ||
| ip6t_REJECT.c | ||
| ip6t_rpfilter.c | ||
| ip6t_rt.c | ||
| ip6table_filter.c | ||
| ip6table_mangle.c | ||
| ip6table_raw.c | ||
| ip6table_security.c | ||
| Kconfig | ||
| Makefile | ||
| nf_conntrack_l3proto_ipv6.c | ||
| nf_conntrack_proto_icmpv6.c | ||
| nf_conntrack_reasm.c | ||
| nf_defrag_ipv6_hooks.c | ||