Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 9c13886665c43600bd0af4b38e33c654e648e078

Authored by Jozsef Kadlecsik
Committed by Patrick McHardy
1 parent 55e0d7cf27
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

netfilter: ip6table_raw: fix table priority 

The order of the IPv6 raw table is currently reversed, that makes impossible
to use the NOTRACK target in IPv6: for example if someone enters

ip6tables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK

and if we receive fragmented packets then the first fragment will be
untracked and thus skip nf_ct_frag6_gather (and conntrack), while all
subsequent fragments enter nf_ct_frag6_gather and reassembly will never
successfully be finished.

Singed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

Showing 2 changed files with 2 additions and 1 deletions Side-by-side Diff

include/linux/netfilter_ipv6.h
Diff comments   View file @ 9c13886
... ... @@ -59,6 +59,7 @@
59 59 enum nf_ip6_hook_priorities {
60 60 NF_IP6_PRI_FIRST = INT_MIN,
61 61 NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
  62 + NF_IP6_PRI_RAW = -300,
62 63 NF_IP6_PRI_SELINUX_FIRST = -225,
63 64 NF_IP6_PRI_CONNTRACK = -200,
64 65 NF_IP6_PRI_MANGLE = -150,
net/ipv6/netfilter/ip6table_raw.c
Diff comments   View file @ 9c13886
... ... @@ -13,7 +13,7 @@
13 13 .valid_hooks = RAW_VALID_HOOKS,
14 14 .me = THIS_MODULE,
15 15 .af = NFPROTO_IPV6,
16   - .priority = NF_IP6_PRI_FIRST,
  16 + .priority = NF_IP6_PRI_RAW,
17 17 };
18 18  
19 19 /* The work comes in here from netfilter.c. */