Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2228780/?format=api
{ "id": 2228780, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2228780/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427112720.5128-3-fmancera@suse.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260427112720.5128-3-fmancera@suse.de>", "date": "2026-04-27T11:27:20", "name": "[3/3,nf,v4] netfilter: xtables: fix L4 header parsing for non-first fragments", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": true, "hash": "9dbb35adc65aab4e2d60f386c4af172624dd4244", "submitter": { "id": 90904, "url": "http://patchwork.ozlabs.org/api/1.1/people/90904/?format=api", "name": "Fernando Fernandez Mancera", "email": "fmancera@suse.de" }, "delegate": { "id": 11902, "url": "http://patchwork.ozlabs.org/api/1.1/users/11902/?format=api", "username": "strlen", "first_name": "Florian", "last_name": "Westphal", "email": "fw@strlen.de" }, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427112720.5128-3-fmancera@suse.de/mbox/", "series": [ { "id": 501628, "url": "http://patchwork.ozlabs.org/api/1.1/series/501628/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501628", "date": "2026-04-27T11:27:18", "name": "[1/3,nf,v4] netfilter: nf_socket: skip socket lookup for non-first fragments", "version": 4, "mbox": "http://patchwork.ozlabs.org/series/501628/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2228780/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2228780/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-12215-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12215-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de", "smtp-out1.suse.de;\n\tnone" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g41c50lZrz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 21:31:33 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 1DBDD3039C8B\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 11:27:59 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 09CE93B895E;\n\tMon, 27 Apr 2026 11:27:58 +0000 (UTC)", "from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5AEDA3B7B84\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 27 Apr 2026 11:27:56 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 03A6D6A8EA;\n\tMon, 27 Apr 2026 11:27:48 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 932C2593B0;\n\tMon, 27 Apr 2026 11:27:47 +0000 (UTC)", "from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid uN78IDNI72kaWgAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Mon, 27 Apr 2026 11:27:47 +0000" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777289277; cv=none;\n b=EulAKj5ixYllRSFcB6F5B67FkOL5WO6gtwWaGqQVWUhFQNFfmmkT73YA/vb8YNwQG9ZmyER820bbg5QVYclxIM3vh3b1vfrrs6s/b4KMEQhmCtX6VLeBknVx4Ygml7kQpTvE4nIkM/GnkfrotfUM8UlYoMuqpXHdGqzAsPS4Ynk=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777289277; c=relaxed/simple;\n\tbh=IVKu9OKrna48UQbVC2i/UrUwGweD62tj2xtMr+WF9uw=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=cglVys7EBE2vrR93Md48W0897b0SeRY2hnvB4ZWy3wclpyXTIpvqcE9AZupq1tr4SieaZLZG6eTG9mlCwwQiRif0j+4qmq91yRj+fpaQgLg74WPm47K2+eZVDmAnSyVf3ucQQw0/SBp2gZPymZaGauIIBY+eNTRP1CSV/QhX0fs=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de; arc=none smtp.client-ip=195.135.223.130", "From": "Fernando Fernandez Mancera <fmancera@suse.de>", "To": "netfilter-devel@vger.kernel.org", "Cc": "coreteam@netfilter.org,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>", "Subject": "[PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments", "Date": "Mon, 27 Apr 2026 13:27:20 +0200", "Message-ID": "<20260427112720.5128-3-fmancera@suse.de>", "X-Mailer": "git-send-email 2.51.0", "In-Reply-To": "<20260427112720.5128-1-fmancera@suse.de>", "References": "<20260427112720.5128-1-fmancera@suse.de>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Rspamd-Pre-Result": [ "action=no action;\n\tmodule=replies;\n\tMessage is reply to one we originated", "action=no action;\n\tmodule=replies;\n\tMessage is reply to one we originated" ], "X-Rspamd-Queue-Id": "03A6D6A8EA", "X-Rspamd-Action": "no action", "X-Spam-Score": "-4.00", "X-Spam-Level": "", "X-Spam-Flag": "NO", "X-Spamd-Result": "default: False [-4.00 / 50.00];\n\tREPLY(-4.00)[]", "X-Rspamd-Server": "rspamd1.dmz-prg2.suse.org" }, "content": "Multiple targets and matches relies on L4 header to operate. For\nfragmented packets, every fragment carries the transport protocol\nidentifier, but only the first fragment contains the L4 header.\n\nAs the 'raw' table can be configured to run at priority -450 (before\ndefragmentation at -400), the target/match can be reached before\nreassembly. In this case, non-first fragments have their payload\nincorrectly parsed as a TCP/UDP header. This would be of course a\nmisconfiguration scenario. In most of the cases this just lead to a\nunreliable behavior for fragmented traffic.\n\nAdd a fragment check to ensure target/match only evaluates unfragmented\npackets or the first fragment in the stream.\n\nFixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv2: handled ecn, socket and tcpmss matches\nv3: extracted socket to its own patch with a generic solution for\nnft/xt, added a comment specifying that par->fragoff is fine for\necn/tcpmss ipv6 as they enforce -p tcp. Keep on mind that osf only\nsupports ipv4.\nv4: handled xt_hashlimit too\n---\n net/netfilter/xt_TPROXY.c | 11 +++++++++--\n net/netfilter/xt_ecn.c | 4 ++++\n net/netfilter/xt_hashlimit.c | 4 +++-\n net/netfilter/xt_osf.c | 3 +++\n net/netfilter/xt_tcpmss.c | 4 ++++\n 5 files changed, 23 insertions(+), 3 deletions(-)", "diff": "diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c\nindex e4bea1d346cf..5f60e7298a1e 100644\n--- a/net/netfilter/xt_TPROXY.c\n+++ b/net/netfilter/xt_TPROXY.c\n@@ -86,6 +86,9 @@ tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)\n {\n \tconst struct xt_tproxy_target_info *tgi = par->targinfo;\n \n+\tif (par->fragoff)\n+\t\treturn NF_DROP;\n+\n \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,\n \t\t\t tgi->mark_mask, tgi->mark_value);\n }\n@@ -95,6 +98,9 @@ tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)\n {\n \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n \n+\tif (par->fragoff)\n+\t\treturn NF_DROP;\n+\n \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,\n \t\t\t tgi->mark_mask, tgi->mark_value);\n }\n@@ -106,6 +112,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n {\n \tconst struct ipv6hdr *iph = ipv6_hdr(skb);\n \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n+\tunsigned short fragoff = 0;\n \tstruct udphdr _hdr, *hp;\n \tstruct sock *sk;\n \tconst struct in6_addr *laddr;\n@@ -113,8 +120,8 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n \tint thoff = 0;\n \tint tproto;\n \n-\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n-\tif (tproto < 0)\n+\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n+\tif (tproto < 0 || fragoff)\n \t\treturn NF_DROP;\n \n \thp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);\ndiff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c\nindex b96e8203ac54..a8503f5d26bf 100644\n--- a/net/netfilter/xt_ecn.c\n+++ b/net/netfilter/xt_ecn.c\n@@ -30,6 +30,10 @@ static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)\n \tstruct tcphdr _tcph;\n \tconst struct tcphdr *th;\n \n+\t/* this is fine for IPv6 as ecn_mt_check6() enforces -p tcp */\n+\tif (par->fragoff)\n+\t\treturn false;\n+\n \t/* In practice, TCP match does this, so can't fail. But let's\n \t * be good citizens.\n \t */\ndiff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c\nindex 3bd127bfc114..2704b4b60d1e 100644\n--- a/net/netfilter/xt_hashlimit.c\n+++ b/net/netfilter/xt_hashlimit.c\n@@ -658,6 +658,8 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,\n \t\tif (!(hinfo->cfg.mode &\n \t\t (XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))\n \t\t\treturn 0;\n+\t\tif (ntohs(ip_hdr(skb)->frag_off) & IP_OFFSET)\n+\t\t\treturn -1;\n \t\tnexthdr = ip_hdr(skb)->protocol;\n \t\tbreak;\n #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)\n@@ -681,7 +683,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,\n \t\t\treturn 0;\n \t\tnexthdr = ipv6_hdr(skb)->nexthdr;\n \t\tprotoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off);\n-\t\tif ((int)protoff < 0)\n+\t\tif ((int)protoff < 0 || ntohs(frag_off) & IP6_OFFSET)\n \t\t\treturn -1;\n \t\tbreak;\n \t}\ndiff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c\nindex dc9485854002..e8807caede68 100644\n--- a/net/netfilter/xt_osf.c\n+++ b/net/netfilter/xt_osf.c\n@@ -27,6 +27,9 @@\n static bool\n xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)\n {\n+\tif (p->fragoff)\n+\t\treturn false;\n+\n \treturn nf_osf_match(skb, xt_family(p), xt_hooknum(p), xt_in(p),\n \t\t\t xt_out(p), p->matchinfo, xt_net(p), nf_osf_fingers);\n }\ndiff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\nindex 0d32d4841cb3..b9da8269161d 100644\n--- a/net/netfilter/xt_tcpmss.c\n+++ b/net/netfilter/xt_tcpmss.c\n@@ -32,6 +32,10 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n \tu8 _opt[15 * 4 - sizeof(_tcph)];\n \tunsigned int i, optlen;\n \n+\t/* this is fine for IPv6 as xt_tcpmss enforces -p tcp */\n+\tif (par->fragoff)\n+\t\treturn false;\n+\n \t/* If we don't have the whole header, drop packet. */\n \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n \tif (th == NULL)\n", "prefixes": [ "3/3", "nf", "v4" ] }