Commit e2f387d2 authored Aug 25, 2017 by Florian Westphal Committed by Pablo Neira Ayuso Aug 28, 2017

netfilter: conntrack: don't log "invalid" icmpv6 connections

When enabling logging for invalid connections we currently also log most
icmpv6 types, which we don't track intentionally (e.g. neigh discovery).
"invalid" should really mean "invalid", i.e. short header or bad checksum.

We don't do any logging for icmp(v4) either, its just useless noise.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent d3ad2c17

net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

+0 −5

Original line number	Diff line number	Diff line
		@@ -121,11 +121,6 @@ static bool icmpv6_new(struct nf_conn ct, const struct sk_buff skb,
		pr_debug("icmpv6: can't create new conn with type %u\n",
		type + 128);
		nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
		if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
		nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
		NULL, NULL,
		"nf_ct_icmpv6: invalid new with type %d ",
		type + 128);
		return false;
		}
		return true;