Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2224315/?format=api
{ "id": 2224315, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2224315/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260417091422.342615-1-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.2/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260417091422.342615-1-pablo@netfilter.org>", "list_archive_url": null, "date": "2026-04-17T09:14:22", "name": "[nf,v2] netfilter: arp_tables: fix IEEE1394 ARP payload parsing in arp_packet_match()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "34af306c13282c220e2ee2b801f5e433ff1a0614", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/1.2/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260417091422.342615-1-pablo@netfilter.org/mbox/", "series": [ { "id": 500285, "url": "http://patchwork.ozlabs.org/api/1.2/series/500285/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500285", "date": "2026-04-17T09:14:22", "name": "[nf,v2] netfilter: arp_tables: fix IEEE1394 ARP payload parsing in arp_packet_match()", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/500285/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2224315/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2224315/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11988-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=OUGxnpAz;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11988-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"OUGxnpAz\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxq2n301Yz1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 19:14:41 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id DB7343037617\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 09:14:37 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0404B3B0AD7;\n\tFri, 17 Apr 2026 09:14:35 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5254D39F17E;\n\tFri, 17 Apr 2026 09:14:32 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id DF52760253;\n\tFri, 17 Apr 2026 11:14:29 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776417274; cv=none;\n b=lAkoeavvUm4rIuS8az1CUI+hNDBRa3t3rIK9VYO/fRKav+nIOLtcvDtZlaftzMxNscwJNZHlbXKjBQBarRp6gntdj9G/zNy7eITH+98TXHo51bn0y20f4Oqhlprcg6HGi7lItri0MzqapyLrS7eaMG1D+ysL0MKruKdQdvpqMoM=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776417274; c=relaxed/simple;\n\tbh=apBX6wAZOFpRvuTkgStG4E5Tw2QnsWLT7AZqsMqkY9U=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=b03o7Q3iom9t33SbSRDiWJqOdDwF0UQaTdd8zmg7iEANA+OmIeuMNCvAUvJ6NFbNhHn5aAkqmXqmw0zdfFYws19NqmLP+KVVJ21uEST7+nKU6Aw4d/LQWudxh3sxTnlY2seqGXmN6mMUkqudK7C0a8WS9uMap+rKOojBTdwPVUQ=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=OUGxnpAz; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776417270;\n\tbh=v7CyyGXbXFYajaxKcvL6QvbWbXVdB61An37V9m/xwWY=;\n\th=From:To:Cc:Subject:Date:From;\n\tb=OUGxnpAzOuTyUNI4n8jiLN3DDmuyCUZ2r+GHBXCIMHlRr+ENNSpr+ntAlBPMT+buW\n\t vK+3LmyhfsaTL5Cdb/48dV1vd+EHHhOsdPBeiT6XGC59KRe9w4sARTFIVKCC5LGrLv\n\t 38Hfkzx31oYtfx9Hwwr5PZskWc8d1NqnJHAWXTZaG6Aut8pjeLF/Prtg5jqWohPqQ+\n\t 4aPxGOaiPQd6CFaYmKJCDcElO6gun//MoCraO0cTChfaWfOJUBUo1sM1fPdvI9KC5E\n\t msxLY268hl+UFRFX/gEJ7w1OumV6gzJSgKaQ4q28uRCuDIPtduCjHU3nZeIk84qhYb\n\t 2iAm/e0XUW8qQ==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "fw@strlen.de,\n\tnetdev@vger.kernel.org", "Subject": "[PATCH nf,v2] netfilter: arp_tables: fix IEEE1394 ARP payload parsing\n in arp_packet_match()", "Date": "Fri, 17 Apr 2026 11:14:22 +0200", "Message-ID": "<20260417091422.342615-1-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Weiming Shi says:\n\n\"arp_packet_match() unconditionally parses the ARP payload assuming two\nhardware addresses are present (source and target). However,\nIPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\nfield, and arp_hdr_len() already accounts for this by returning a\nshorter length for ARPHRD_IEEE1394 devices.\n\nAs a result, on IEEE1394 interfaces arp_packet_match() advances past a\nnonexistent target hardware address and reads the wrong bytes for both\nthe target device address comparison and the target IP address. This\ncauses arptables rules to match against garbage data, leading to\nincorrect filtering decisions: packets that should be accepted may be\ndropped and vice versa.\n\nThe ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\nhandles this correctly by skipping the target hardware address for\nARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"\n\nMangle the original patch to always return 0 (no match) in case user\nmatches on the target hardware address which is never present in\nIEEE1394.\n\nMoreover, adjust arpt_mangle too as AI suggests:\n\nIn arpt_mangle, the logic assumes a standard ARP layout. Because\nIEEE1394 (FireWire) omits the target hardware address, the linear\npointer arithmetic miscalculates the offset for the target IP address.\nThis causes mangling operations to write to the wrong location, leading\nto packet corruption. To ensure safety, this patch drops packets\n(NF_DROP) when mangling is requested for these fields on IEEE1394\ndevices, as the current implementation cannot correctly map the FireWire\nARP payload.\n\nThis omits both mangling target hardware and IP address. Even if IP\naddress mangling should be possible in IEEE1394, this would require\nto adjust arpt_mangle offset calculation, which has been never\nsupported.\n\nBased on patch from Weiming Shi <bestswngs@gmail.com>.\n\nFixes: 6752c8db8e0c (\"firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\nv2: addressing AI suggestions.\n\n net/ipv4/netfilter/arp_tables.c | 18 +++++++++++++++---\n net/ipv4/netfilter/arpt_mangle.c | 8 ++++++++\n 2 files changed, 23 insertions(+), 3 deletions(-)", "diff": "diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c\nindex 1cdd9c28ab2d..97ead883e4a1 100644\n--- a/net/ipv4/netfilter/arp_tables.c\n+++ b/net/ipv4/netfilter/arp_tables.c\n@@ -110,13 +110,25 @@ static inline int arp_packet_match(const struct arphdr *arphdr,\n \tarpptr += dev->addr_len;\n \tmemcpy(&src_ipaddr, arpptr, sizeof(u32));\n \tarpptr += sizeof(u32);\n-\ttgt_devaddr = arpptr;\n-\tarpptr += dev->addr_len;\n+\n+\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) && dev->type == ARPHRD_IEEE1394) {\n+\t\tif (unlikely(memchr_inv(arpinfo->tgt_devaddr.mask, 0,\n+\t\t\t\t\tsizeof(arpinfo->tgt_devaddr.mask))))\n+\t\t\treturn 0;\n+\n+\t\ttgt_devaddr = NULL;\n+\t} else {\n+\t\ttgt_devaddr = arpptr;\n+\t\tarpptr += dev->addr_len;\n+\t}\n \tmemcpy(&tgt_ipaddr, arpptr, sizeof(u32));\n \n \tif (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,\n \t\t arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,\n-\t\t\t\t\tdev->addr_len)) ||\n+\t\t\t\t\tdev->addr_len)))\n+\t\treturn 0;\n+\n+\tif (tgt_devaddr &&\n \t NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,\n \t\t arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,\n \t\t\t\t\tdev->addr_len)))\ndiff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c\nindex a4e07e5e9c11..f65dd339208e 100644\n--- a/net/ipv4/netfilter/arpt_mangle.c\n+++ b/net/ipv4/netfilter/arpt_mangle.c\n@@ -40,6 +40,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)\n \t}\n \tarpptr += pln;\n \tif (mangle->flags & ARPT_MANGLE_TDEV) {\n+\t\tif (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n+\t\t\t skb->dev->type == ARPHRD_IEEE1394))\n+\t\t\treturn NF_DROP;\n+\n \t\tif (ARPT_DEV_ADDR_LEN_MAX < hln ||\n \t\t (arpptr + hln > skb_tail_pointer(skb)))\n \t\t\treturn NF_DROP;\n@@ -47,6 +51,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)\n \t}\n \tarpptr += hln;\n \tif (mangle->flags & ARPT_MANGLE_TIP) {\n+\t\tif (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n+\t\t\t skb->dev->type == ARPHRD_IEEE1394))\n+\t\t\treturn NF_DROP;\n+\n \t\tif (ARPT_MANGLE_ADDR_LEN_MAX < pln ||\n \t\t (arpptr + pln > skb_tail_pointer(skb)))\n \t\t\treturn NF_DROP;\n", "prefixes": [ "nf", "v2" ] }