netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local (12f36e9b) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_torvalds_linux

Commit 12f36e9b authored Jun 08, 2021 by

Florian Westphal Committed by Pablo Neira Ayuso Jun 09, 2021

netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local

The ip6tables rpfilter match has an extra check to skip packets with
"::" source address.

Extend this to ipv6 fib expression.  Else ipv6 duplicate address detection
packets will fail rpf route check -- lookup returns -ENETUNREACH.

While at it, extend the prerouting check to also cover the ingress hook.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1543
Fixes: f6d0cbcf

 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 82944421

Hide whitespace changes

Inline Side-by-side

Please register or to comment