[PATCH 2.4.x] IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks

[Harald Welte <laforge@xxxxxxxxxxxxx>]

On Sun, Nov 23, 2003 at 03:43:22PM -0800, David S. Miller wrote:
> If the fix is simple enough (1 or 2 one-liner changes) and easy
> to verify, I would consider it for 2.6.0
> 
> I may even look into this myself.

Now that the other Dave's fix has made it in 2.6.0-test11, I have merged
it (untested, but compiles) with 2.4.x.

Dave, would you consider applying this to to 2.4.x ?

Thanks.

Greetings (still from India),
        Harald.

--- linux.old/net/ipv6/mcast.c  2003-11-28 23:55:59.000000000 +0530
+++ linux/net/ipv6/mcast.c      2003-12-04 14:21:42.000000000 +0530
@@ -45,6 +45,9 @@
 #include <linux/init.h>
 #include <linux/proc_fs.h>
 
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv6.h>
+
 #include <net/sock.h>
 #include <net/snmp.h>
 
@@ -1262,7 +1265,7 @@
 {
        struct ipv6hdr *pip6 = skb->nh.ipv6h;
        struct mld2_report *pmr = (struct mld2_report *)skb->h.raw;
-       int payload_len, mldlen;
+       int payload_len, mldlen, err;
 
        payload_len = skb->tail - (unsigned char *)skb->nh.ipv6h -
                sizeof(struct ipv6hdr);
@@ -1271,8 +1274,10 @@
 
        pmr->csum = csum_ipv6_magic(&pip6->saddr, &pip6->daddr, mldlen,
                IPPROTO_ICMPV6, csum_partial(skb->h.raw, mldlen, 0));
-       dev_queue_xmit(skb);
-       ICMP6_INC_STATS(Icmp6OutMsgs);
+       err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
+                     dev_queue_xmit);
+       if (!err)
+               ICMP6_INC_STATS(Icmp6OutMsgs);
 }
 
 static int grec_size(struct ifmcaddr6 *pmc, int type, int gdel, int sdel)
@@ -1596,12 +1601,16 @@
                                           IPPROTO_ICMPV6,
                                           csum_partial((__u8 *) hdr, len, 0));
 
-       dev_queue_xmit(skb);
-       if (type == ICMPV6_MGM_REDUCTION)
-               ICMP6_INC_STATS(Icmp6OutGroupMembReductions);
-       else
-               ICMP6_INC_STATS(Icmp6OutGroupMembResponses);
-       ICMP6_INC_STATS(Icmp6OutMsgs);
+       err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
+                     dev_queue_xmit);
+       if (!err) {
+               if (type == ICMPV6_MGM_REDUCTION)
+                       ICMP6_INC_STATS(Icmp6OutGroupMembReductions);
+               else
+                       ICMP6_INC_STATS(Icmp6OutGroupMembResponses);
+               ICMP6_INC_STATS(Icmp6OutMsgs);
+       }
+
        return;
 
 out:

-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

pgpDxcXhGPyj3.pgp
Description: PGP signature