diff options
author | Vincent Bernat <vincent@bernat.im> | 2018-05-20 14:03:38 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-05-23 10:25:54 +0300 |
commit | cede24d1b21d68d84ac5a36c44f7d37daadcc258 (patch) | |
tree | 1288a6c901df4eb511f96e2ab4c08e697ac03ebf /net/ipv6/Kconfig | |
parent | 8d8540c4f5e03d847c004e71d6a577bf4f8c78cd (diff) | |
download | linux-cede24d1b21d68d84ac5a36c44f7d37daadcc258.tar.xz |
netfilter: ip6t_rpfilter: provide input interface for route lookup
In commit 47b7e7f82802, this bit was removed at the same time the
RT6_LOOKUP_F_IFACE flag was removed. However, it is needed when
link-local addresses are used, which is a very common case: when
packets are routed, neighbor solicitations are done using link-local
addresses. For example, the following neighbor solicitation is not
matched by "-m rpfilter":
IP6 fe80::5254:33ff:fe00:1 > ff02::1:ff00:3: ICMP6, neighbor
solicitation, who has 2001:db8::5254:33ff:fe00:3, length 32
Commit 47b7e7f82802 doesn't quite explain why we shouldn't use
RT6_LOOKUP_F_IFACE in the rpfilter case. I suppose the interface check
later in the function would make it redundant. However, the remaining
of the routing code is using RT6_LOOKUP_F_IFACE when there is no
source address (which matches rpfilter's case with a non-unicast
destination, like with neighbor solicitation).
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Fixes: 47b7e7f82802 ("netfilter: don't set F_IFACE on ipv6 fib lookups")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6/Kconfig')
0 files changed, 0 insertions, 0 deletions