@@ -437,6 +437,18 @@ int ip6_forward(struct sk_buff *skb)
}
dst = skb_dst(skb);
+ int addrtype = ipv6_addr_type(&hdr->saddr);
+
+ /* This check is security critical. */
+ if (addrtype == IPV6_ADDR_ANY ||
+ addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
+ goto error;
+ if (addrtype & IPV6_ADDR_LINKLOCAL) {
+ icmpv6_send(skb, ICMPV6_DEST_UNREACH,
+ ICMPV6_NOT_NEIGHBOUR, 0);
+ goto error;
+ }
+
/* IPv6 specs say nothing about it, but it is clear that we cannot
send redirects to source routed frames.
We don't send redirects to frames decapsulated from IPsec.
@@ -466,18 +478,6 @@ int ip6_forward(struct sk_buff *skb)
ndisc_send_redirect(skb, target);
if (peer)
inet_putpeer(peer);
- } else {
- int addrtype = ipv6_addr_type(&hdr->saddr);
-
- /* This check is security critical. */
- if (addrtype == IPV6_ADDR_ANY ||
- addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
- goto error;
- if (addrtype & IPV6_ADDR_LINKLOCAL) {
- icmpv6_send(skb, ICMPV6_DEST_UNREACH,
- ICMPV6_NOT_NEIGHBOUR, 0);
- goto error;
- }
}
mtu = ip6_dst_mtu_forward(dst);