Commit 9c138866 authored Mar 25, 2010 by Jozsef Kadlecsik Committed by Patrick McHardy Mar 25, 2010

netfilter: ip6table_raw: fix table priority



The order of the IPv6 raw table is currently reversed, that makes impossible
to use the NOTRACK target in IPv6: for example if someone enters

ip6tables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK

and if we receive fragmented packets then the first fragment will be
untracked and thus skip nf_ct_frag6_gather (and conntrack), while all
subsequent fragments enter nf_ct_frag6_gather and reassembly will never
successfully be finished.

Singed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

parent 55e0d7cf

include/linux/netfilter_ipv6.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -59,6 +59,7 @@
		enum nf_ip6_hook_priorities {
		NF_IP6_PRI_FIRST = INT_MIN,
		NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
		NF_IP6_PRI_RAW = -300,
		NF_IP6_PRI_SELINUX_FIRST = -225,
		NF_IP6_PRI_CONNTRACK = -200,
		NF_IP6_PRI_MANGLE = -150,

net/ipv6/netfilter/ip6table_raw.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -13,7 +13,7 @@ static const struct xt_table packet_raw = {
		.valid_hooks = RAW_VALID_HOOKS,
		.me = THIS_MODULE,
		.af = NFPROTO_IPV6,
		.priority = NF_IP6_PRI_FIRST,
		.priority = NF_IP6_PRI_RAW,
		};

		/* The work comes in here from netfilter.c. */