summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2017-08-25 02:59:41 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2017-08-28 17:53:56 +0200
commite2f387d2df0ece6d4418bb09bef7802cfaf7142d (patch)
tree6e1023331ae5942fd03e626524e608de0d03f522 /net
parentnetfilter: core: batch nf_unregister_net_hooks synchronize_net calls (diff)
downloadlinux-e2f387d2df0ece6d4418bb09bef7802cfaf7142d.tar.xz
linux-e2f387d2df0ece6d4418bb09bef7802cfaf7142d.zip
netfilter: conntrack: don't log "invalid" icmpv6 connections
When enabling logging for invalid connections we currently also log most icmpv6 types, which we don't track intentionally (e.g. neigh discovery). "invalid" should really mean "invalid", i.e. short header or bad checksum. We don't do any logging for icmp(v4) either, its just useless noise. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c5
1 files changed, 0 insertions, 5 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 808f63e2e1ff..43544b975eae 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -121,11 +121,6 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
pr_debug("icmpv6: can't create new conn with type %u\n",
type + 128);
nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
- if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
- nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
- NULL, NULL,
- "nf_ct_icmpv6: invalid new with type %d ",
- type + 128);
return false;
}
return true;