netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport

This is overly conservative and not flexible at all, so better let them go through and let the filtering policy decide what to do with them. We use skb_header_pointer() all over the place so we would just fail to match when trying to access fields from malformed traffic. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-09 10:42:53 (GMT)
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-12 16:52:32 (GMT)
commit: 71212c9b04eba76faa4dca26ccd1552d6bb300c1 (patch)
tree: c94e136ed7989fd72d416cd506bcca99b5549472 /net/ipv6/netfilter/nf_tables_ipv6.c
parent: 10151d7b03e23afce76a59f717f2616a10ddef86 (diff)
download: linux-71212c9b04eba76faa4dca26ccd1552d6bb300c1.tar.xz
1 files changed, 1 insertions, 3 deletions
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index 30b22f4..05d0592 100644
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -22,9 +22,7 @@ static unsigned int nft_do_chain_ipv6(void *priv,
 {
 	struct nft_pktinfo pkt;
 
-	/* malformed packet, drop it */
-	if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
-		return NF_DROP;
+	nft_set_pktinfo_ipv6(&pkt, skb, state);
 
 	return nft_do_chain(&pkt, priv);
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2016-09-09 10:42:53 (GMT)
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-09-12 16:52:32 (GMT)
commit	71212c9b04eba76faa4dca26ccd1552d6bb300c1 (patch)
tree	c94e136ed7989fd72d416cd506bcca99b5549472 /net/ipv6/netfilter/nf_tables_ipv6.c
parent	10151d7b03e23afce76a59f717f2616a10ddef86 (diff)
download	linux-71212c9b04eba76faa4dca26ccd1552d6bb300c1.tar.xz