netfilter: ip6table_raw: fix table priority

The order of the IPv6 raw table is currently reversed, that makes impossible
to use the NOTRACK target in IPv6: for example if someone enters

ip6tables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK

and if we receive fragmented packets then the first fragment will be
untracked and thus skip nf_ct_frag6_gather (and conntrack), while all
subsequent fragments enter nf_ct_frag6_gather and reassembly will never
successfully be finished.

Singed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index d654873aa25afdaae0fe2ac921b2cd58db16bf04..1f7e300094cd4777ffe98600cc5319bcf5bb406f 100644 (file)
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -59,6 +59,7 @@
 enum nf_ip6_hook_priorities {
        NF_IP6_PRI_FIRST = INT_MIN,
        NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
+       NF_IP6_PRI_RAW = -300,
        NF_IP6_PRI_SELINUX_FIRST = -225,
        NF_IP6_PRI_CONNTRACK = -200,
        NF_IP6_PRI_MANGLE = -150,

diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index aef31a29de9ed37f3cf48ab12b738ddf9856882b..b9cf7cd6192316a265a9b670e558c3740514e0d8 100644 (file)
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -13,7 +13,7 @@ static const struct xt_table packet_raw = {
        .valid_hooks = RAW_VALID_HOOKS,
        .me = THIS_MODULE,
        .af = NFPROTO_IPV6,
-       .priority = NF_IP6_PRI_FIRST,
+       .priority = NF_IP6_PRI_RAW,
 };
 
 /* The work comes in here from netfilter.c. */