Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2225093/?format=api
{ "id": 2225093, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2225093/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260420104745.10338-2-fmancera@suse.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260420104745.10338-2-fmancera@suse.de>", "date": "2026-04-20T10:47:45", "name": "[2/2,nf,v2] netfilter: xtables: fix L4 header parsing for non-first fragments", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": false, "hash": "952d558069ad08dbb69c123dc30bcaf835e379d6", "submitter": { "id": 90904, "url": "http://patchwork.ozlabs.org/api/1.1/people/90904/?format=api", "name": "Fernando Fernandez Mancera", "email": "fmancera@suse.de" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260420104745.10338-2-fmancera@suse.de/mbox/", "series": [ { "id": 500594, "url": "http://patchwork.ozlabs.org/api/1.1/series/500594/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500594", "date": "2026-04-20T10:47:45", "name": "[1/2,nf,v2] netfilter: nf_tables: skip L4 header parsing for non-first fragments", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/500594/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2225093/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2225093/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-12038-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=VPRcIsxF;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=0pevoeGf;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=VPRcIsxF;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=0pevoeGf;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12038-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"VPRcIsxF\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"0pevoeGf\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"VPRcIsxF\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"0pevoeGf\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de", "smtp-out2.suse.de;\n\tnone" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzhzw6y74z1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 20:48:44 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id F205D301117B\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 10:48:41 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id B09DF392C3A;\n\tMon, 20 Apr 2026 10:48:40 +0000 (UTC)", "from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id E6C7B2BE05E\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 10:48:38 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id 3180B5BCFB;\n\tMon, 20 Apr 2026 10:48:37 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B28A2593AE;\n\tMon, 20 Apr 2026 10:48:36 +0000 (UTC)", "from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid KEuqKIQE5mkFFgAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Mon, 20 Apr 2026 10:48:36 +0000" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776682120; cv=none;\n b=S0Kr1b3dgfaSkL87jLrFM7t3bcg6bVXWyn/wP9nqrKuvIcg0d2hUcjsFevjrAPnBtIt/4vOkeV9I37W3lgFeoNaYntUYkqt3jIaxHwj/Z9Rd3hp2nOud5ci07kA74Fv2RAKnvXD8yiZPFAnPwNYzRgwKDhl+augwEAAe2ZUVwx4=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776682120; c=relaxed/simple;\n\tbh=nOsNaff3MEdUO6nQdwoCMXHlYHz+jAD0iAqI/OpEFsU=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=F9EGvscybu8mbFw69DDmAin3qStizq3klo6N6p4ukTt6SEnIMkVDXz5TUd3x+gGR6bF6dw8ao4ty9rvwb2Ltl95qSAONCS3ytD4uSfGVfTcBU5+IDfhhPtKfWX6JO19vB6X8OJzvXB9nEErizT4bO1js3GNDNcDzf0MlfPHw9Sw=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=VPRcIsxF;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=0pevoeGf;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=VPRcIsxF;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=0pevoeGf; arc=none smtp.client-ip=195.135.223.131", "DKIM-Signature": [ "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776682117;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=dsmWKgBEdsaNgrsUJLHuHpT56+lMxN5eht4XrSEWbt8=;\n\tb=VPRcIsxFkQux85IMEDI4O90nt6GDV1f4h21gl+Ewqb5AmNYjm0Vx/RPzzAi25Vm0Pu7P6v\n\tFIUHFrfSfq1q4fbFb0AqC+fWkZU1WUZ6J1hRePOfnAwGBcNPGyY77bqCKuevIh/plFtFWS\n\t7FJazSQAoMDaaPHQfZ3cg7kNPyvQnWU=", "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776682117;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=dsmWKgBEdsaNgrsUJLHuHpT56+lMxN5eht4XrSEWbt8=;\n\tb=0pevoeGfZXH4IlGEkEso4BWdg+pVEMmvRihks1yl0RRrZarxA8Z70KRBR2kRac/1HlBqq2\n\tqiFtJZ2Ws4FT2ACg==", "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776682117;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=dsmWKgBEdsaNgrsUJLHuHpT56+lMxN5eht4XrSEWbt8=;\n\tb=VPRcIsxFkQux85IMEDI4O90nt6GDV1f4h21gl+Ewqb5AmNYjm0Vx/RPzzAi25Vm0Pu7P6v\n\tFIUHFrfSfq1q4fbFb0AqC+fWkZU1WUZ6J1hRePOfnAwGBcNPGyY77bqCKuevIh/plFtFWS\n\t7FJazSQAoMDaaPHQfZ3cg7kNPyvQnWU=", "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776682117;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=dsmWKgBEdsaNgrsUJLHuHpT56+lMxN5eht4XrSEWbt8=;\n\tb=0pevoeGfZXH4IlGEkEso4BWdg+pVEMmvRihks1yl0RRrZarxA8Z70KRBR2kRac/1HlBqq2\n\tqiFtJZ2Ws4FT2ACg==" ], "From": "Fernando Fernandez Mancera <fmancera@suse.de>", "To": "netfilter-devel@vger.kernel.org", "Cc": "coreteam@netfilter.org,\n\tecklm94@gmail.com,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>", "Subject": "[PATCH 2/2 nf v2] netfilter: xtables: fix L4 header parsing for\n non-first fragments", "Date": "Mon, 20 Apr 2026 12:47:45 +0200", "Message-ID": "<20260420104745.10338-2-fmancera@suse.de>", "X-Mailer": "git-send-email 2.51.0", "In-Reply-To": "<20260420104745.10338-1-fmancera@suse.de>", "References": "<20260420104745.10338-1-fmancera@suse.de>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Spamd-Result": "default: False [-6.80 / 50.00];\n\tREPLY(-4.00)[];\n\tBAYES_HAM(-3.00)[100.00%];\n\tMID_CONTAINS_FROM(1.00)[];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_MISSING_CHARSET(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tARC_NA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFREEMAIL_CC(0.00)[netfilter.org,gmail.com,nwl.cc,strlen.de,suse.de];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tRCVD_TLS_ALL(0.00)[];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.de:mid,suse.de:email];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tRCPT_COUNT_SEVEN(0.00)[7];\n\tTO_DN_SOME(0.00)[];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com]", "X-Spam-Flag": "NO", "X-Spam-Score": "-6.80", "X-Spam-Level": "" }, "content": "Multiple targets and matches relies on L4 header to operate. For\nfragmented packets, every fragment carries the transport protocol\nidentifier, but only the first fragment contains the L4 header.\n\nAs the 'raw' table can be configured to run at priority -450 (before\ndefragmentation at -400), the target/match can be reached before\nreassembly. In this case, non-first fragments have their payload\nincorrectly parsed as a TCP/UDP header. This would be of course a\nmisconfiguration scenario. In most of the cases this just lead to a\nunreliable behavior for fragmented traffic.\n\nAdd a fragment check to ensure target/match only evaluates unfragmented\npackets or the first fragment in the stream.\n\nFixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv2: handled ecn, socket and tcpmss matches\n---\n net/netfilter/xt_TPROXY.c | 11 +++++++++--\n net/netfilter/xt_ecn.c | 3 +++\n net/netfilter/xt_osf.c | 3 +++\n net/netfilter/xt_socket.c | 10 ++++++++--\n net/netfilter/xt_tcpmss.c | 3 +++\n 5 files changed, 26 insertions(+), 4 deletions(-)", "diff": "diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c\nindex e4bea1d346cf..5f60e7298a1e 100644\n--- a/net/netfilter/xt_TPROXY.c\n+++ b/net/netfilter/xt_TPROXY.c\n@@ -86,6 +86,9 @@ tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)\n {\n \tconst struct xt_tproxy_target_info *tgi = par->targinfo;\n \n+\tif (par->fragoff)\n+\t\treturn NF_DROP;\n+\n \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,\n \t\t\t tgi->mark_mask, tgi->mark_value);\n }\n@@ -95,6 +98,9 @@ tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)\n {\n \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n \n+\tif (par->fragoff)\n+\t\treturn NF_DROP;\n+\n \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,\n \t\t\t tgi->mark_mask, tgi->mark_value);\n }\n@@ -106,6 +112,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n {\n \tconst struct ipv6hdr *iph = ipv6_hdr(skb);\n \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n+\tunsigned short fragoff = 0;\n \tstruct udphdr _hdr, *hp;\n \tstruct sock *sk;\n \tconst struct in6_addr *laddr;\n@@ -113,8 +120,8 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n \tint thoff = 0;\n \tint tproto;\n \n-\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n-\tif (tproto < 0)\n+\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n+\tif (tproto < 0 || fragoff)\n \t\treturn NF_DROP;\n \n \thp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);\ndiff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c\nindex b96e8203ac54..cd97c2fac6e7 100644\n--- a/net/netfilter/xt_ecn.c\n+++ b/net/netfilter/xt_ecn.c\n@@ -30,6 +30,9 @@ static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)\n \tstruct tcphdr _tcph;\n \tconst struct tcphdr *th;\n \n+\tif (par->fragoff)\n+\t\treturn false;\n+\n \t/* In practice, TCP match does this, so can't fail. But let's\n \t * be good citizens.\n \t */\ndiff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c\nindex dc9485854002..e8807caede68 100644\n--- a/net/netfilter/xt_osf.c\n+++ b/net/netfilter/xt_osf.c\n@@ -27,6 +27,9 @@\n static bool\n xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)\n {\n+\tif (p->fragoff)\n+\t\treturn false;\n+\n \treturn nf_osf_match(skb, xt_family(p), xt_hooknum(p), xt_in(p),\n \t\t\t xt_out(p), p->matchinfo, xt_net(p), nf_osf_fingers);\n }\ndiff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c\nindex 76e01f292aaf..d366e294f1aa 100644\n--- a/net/netfilter/xt_socket.c\n+++ b/net/netfilter/xt_socket.c\n@@ -55,8 +55,11 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,\n \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n \t\tsk = NULL;\n \n-\tif (!sk)\n+\tif (!sk) {\n+\t\tif (par->fragoff)\n+\t\t\treturn false;\n \t\tsk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par));\n+\t}\n \n \tif (sk) {\n \t\tbool wildcard;\n@@ -116,8 +119,11 @@ socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)\n \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n \t\tsk = NULL;\n \n-\tif (!sk)\n+\tif (!sk) {\n+\t\tif (par->fragoff)\n+\t\t\treturn false;\n \t\tsk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par));\n+\t}\n \n \tif (sk) {\n \t\tbool wildcard;\ndiff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\nindex 0d32d4841cb3..69844cc8dbb8 100644\n--- a/net/netfilter/xt_tcpmss.c\n+++ b/net/netfilter/xt_tcpmss.c\n@@ -32,6 +32,9 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n \tu8 _opt[15 * 4 - sizeof(_tcph)];\n \tunsigned int i, optlen;\n \n+\tif (par->fragoff)\n+\t\treturn false;\n+\n \t/* If we don't have the whole header, drop packet. */\n \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n \tif (th == NULL)\n", "prefixes": [ "2/2", "nf", "v2" ] }