netfilter: conntrack: don't log "invalid" icmpv6 connections

When enabling logging for invalid connections we currently also log most
icmpv6 types, which we don't track intentionally (e.g. neigh discovery).
"invalid" should really mean "invalid", i.e. short header or bad checksum.

We don't do any logging for icmp(v4) either, its just useless noise.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 808f63e2e1ffecee4c93a85858896113d191fe29..43544b975eaeee31afd218493dc5f419b3255298 100644 (file)
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -121,11 +121,6 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
                pr_debug("icmpv6: can't create new conn with type %u\n",
                         type + 128);
                nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
-               if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
-                       nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
-                                     NULL, NULL,
-                                     "nf_ct_icmpv6: invalid new with type %d ",
-                                     type + 128);
                return false;
        }
        return true;