[{"id":3679591,"web_url":"http://patchwork.ozlabs.org/comment/3679591/","msgid":"","list_archive_url":null,"date":"2026-04-20T20:45:38","subject":"Re: [PATCH 2/2 nf v2] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi Fernando,\n\nOn Mon, Apr 20, 2026 at 12:47:45PM +0200, Fernando Fernandez Mancera wrote:\n> diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c\n> index 76e01f292aaf..d366e294f1aa 100644\n> --- a/net/netfilter/xt_socket.c\n> +++ b/net/netfilter/xt_socket.c\n> @@ -55,8 +55,11 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,\n> \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n> \t\tsk = NULL;\n> \n> -\tif (!sk)\n> +\tif (!sk) {\n> +\t\tif (par->fragoff)\n> +\t\t\treturn false;\n> \t\tsk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par));\n> +\t}\n> \n> \tif (sk) {\n> \t\tbool wildcard;\n> @@ -116,8 +119,11 @@ socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)\n> \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n> \t\tsk = NULL;\n> \n> -\tif (!sk)\n> +\tif (!sk) {\n> +\t\tif (par->fragoff)\n> +\t\t\treturn false;\n\nYour patch will work as intented in iptables over nf_tables, because\nit always sets on fragoff regardless user policy.\n\nBut, if ipv6_find_hdr() finds no layer 4 protocol, then fragoff\nremains zero, and pkt->flags does not set on NFT_PKTINFO_L4PROTO.\nThere, in nftables, par->fragoff but itself is not reliable because\nmaybe the layer 4 was not found.\n\nThen, there is ip6_tables legacy which does not behave like ip_tables\nfor fragments.\n\nip6t_do_table() only sets fragoff if IP6T_F_PROTO (-p in userspace) is\nused, unlike nftables which always sets on fragoff.\n\nSo par->fragoff is unreliable in ip6_tables legacy, and\nipv6_find_hdr() is called over and over again ip6_packet_match() loop\nfor each rule.\n\nOne way would be to call ipv6_find_hdr() inconditionally from\nip6_tables legacy, but that belongs to a different patch and that\nwould be touch core ip6_tables legacy.\n\nRewinding a bit, coming to back to the original issue: osf only\nsupports ipv4 :-)\n\n> \t\tsk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par));\n> +\t}\n> \n> \tif (sk) {\n> \t\tbool wildcard;\n> diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\n> index 0d32d4841cb3..69844cc8dbb8 100644\n> --- a/net/netfilter/xt_tcpmss.c\n> +++ b/net/netfilter/xt_tcpmss.c\n> @@ -32,6 +32,9 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n> \tu8 _opt[15 * 4 - sizeof(_tcph)];\n> \tunsigned int i, optlen;\n> \n> +\tif (par->fragoff)\n> +\t\treturn false;\n> +\n> \t/* If we don't have the whole header, drop packet. */\n> \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n> \tif (th == NULL)\n> -- \n> 2.53.0\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=XBfxHrvV;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12089-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"XBfxHrvV\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzyF46sTSz1yD4\n\tfor ; Tue, 21 Apr 2026 06:46:00 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id A6E0F30074DB\n\tfor ; Mon, 20 Apr 2026 20:45:46 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id B1018381B0D;\n\tMon, 20 Apr 2026 20:45:45 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 05A872BE05F\n\tfor ; Mon, 20 Apr 2026 20:45:42 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id B60816017E;\n\tMon, 20 Apr 2026 22:45:40 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776717945; cv=none;\n b=QZQknYGVFMS99d7l1BhFWqWdx6+DKqOfZcLEEnXZo/vbyKKdLw2rag7BaTlRSbWcl8u/nZQjHa6o83TJQjsBoVk4WbStcOQ+X4rbmAUKLXeFt3l+VLk5Hs+mQR1jnFtj3u3rucnx9T7+Q/37/EWX8zkzlaOmgC3J9e3pFffMZgM=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776717945; c=relaxed/simple;\n\tbh=XeMXk7xZwpuFSjfvqdbGGUf+kjIDDUvn3EBK1rTg5xs=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=dWcEUCL8/ECM/CudJIlHeVDNbxehyywzcg1unaJ4dwcj/HOb4YY8h+4ImA9xdRmYlgHnWm0e2vOduZknazKoi93KNNndDoP4uiNmS3R4taQ1hIguw7jdycESt+UMQ+ltsozSRAcRHjEcVDGFNcmvrz739p7NJEZ5Z2dWCT5h5eo=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=XBfxHrvV; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776717940;\n\tbh=HHHynewhlJ13L/2gc3sq4KfyAUmPJibOpDYAi0VLqII=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=XBfxHrvVRaOC9yL+QGCnM2EskedTpo55Ma9hJuQSI1TrAe0mbiOSQrEjS7+liiZuW\n\t QDyX2cDuj7HIc5gToo4Vssn+vwCffPCFEFnw0QmURHR/ym43N6DCPJ1zeMgwyDyNJh\n\t toUovBNttJxvSA8NnnczZquhbRCtEUvt064fvOHcuHMvlnR2ACI75wEMExESSXvWZa\n\t X0M0aG3iZqf+5DAmx3xWb9hXbngqv3U/pcrdS6qsI+DdprkgA2MO925sg1r7PDvM4n\n\t e+2JZTY6Z9LYEBS4dQEp73BAm0JFUUjA0DpMEXWQJqFSDfeMulfcV2ByUvytyKG9L7\n\t TGnYUdFNLSdhA==","Date":"Mon, 20 Apr 2026 22:45:38 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tecklm94@gmail.com, phil@nwl.cc, fw@strlen.de","Subject":"Re: [PATCH 2/2 nf v2] netfilter: xtables: fix L4 header parsing for\n non-first fragments","Message-ID":"","References":"<20260420104745.10338-1-fmancera@suse.de>\n <20260420104745.10338-2-fmancera@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260420104745.10338-2-fmancera@suse.de>"}},{"id":3679597,"web_url":"http://patchwork.ozlabs.org/comment/3679597/","msgid":"","list_archive_url":null,"date":"2026-04-20T20:58:26","subject":"Re: [PATCH 2/2 nf v2] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Apr 20, 2026 at 10:45:41PM +0200, Pablo Neira Ayuso wrote:\n> Hi Fernando,\n> \n> On Mon, Apr 20, 2026 at 12:47:45PM +0200, Fernando Fernandez Mancera wrote:\n> > diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c\n> > index 76e01f292aaf..d366e294f1aa 100644\n> > --- a/net/netfilter/xt_socket.c\n> > +++ b/net/netfilter/xt_socket.c\n> > @@ -55,8 +55,11 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,\n> > \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n> > \t\tsk = NULL;\n> > \n> > -\tif (!sk)\n> > +\tif (!sk) {\n> > +\t\tif (par->fragoff)\n> > +\t\t\treturn false;\n> > \t\tsk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par));\n> > +\t}\n> > \n> > \tif (sk) {\n> > \t\tbool wildcard;\n> > @@ -116,8 +119,11 @@ socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)\n> > \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n> > \t\tsk = NULL;\n> > \n> > -\tif (!sk)\n> > +\tif (!sk) {\n> > +\t\tif (par->fragoff)\n> > +\t\t\treturn false;\n> \n> Your patch will work as intented in iptables over nf_tables, because\n> it always sets on fragoff regardless user policy.\n> \n> But, if ipv6_find_hdr() finds no layer 4 protocol, then fragoff\n> remains zero, and pkt->flags does not set on NFT_PKTINFO_L4PROTO.\n> There, in nftables, par->fragoff but itself is not reliable because\n> maybe the layer 4 was not found.\n\nThis is where pkt->tprot comes into play. I think this series is fine\nwith nf_tables, it is just ip6_tables legacy that lags behind.\n\n> Then, there is ip6_tables legacy which does not behave like ip_tables\n> for fragments.\n> \n> ip6t_do_table() only sets fragoff if IP6T_F_PROTO (-p in userspace) is\n> used, unlike nftables which always sets on fragoff.\n> \n> So par->fragoff is unreliable in ip6_tables legacy, and\n> ipv6_find_hdr() is called over and over again ip6_packet_match() loop\n> for each rule.\n> \n> One way would be to call ipv6_find_hdr() inconditionally from\n> ip6_tables legacy, but that belongs to a different patch and that\n> would be touch core ip6_tables legacy.\n> \n> Rewinding a bit, coming to back to the original issue: osf only\n> supports ipv4 :-)\n> \n> > \t\tsk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par));\n> > +\t}\n> > \n> > \tif (sk) {\n> > \t\tbool wildcard;\n> > diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\n> > index 0d32d4841cb3..69844cc8dbb8 100644\n> > --- a/net/netfilter/xt_tcpmss.c\n> > +++ b/net/netfilter/xt_tcpmss.c\n> > @@ -32,6 +32,9 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n> > \tu8 _opt[15 * 4 - sizeof(_tcph)];\n> > \tunsigned int i, optlen;\n> > \n> > +\tif (par->fragoff)\n> > +\t\treturn false;\n> > +\n> > \t/* If we don't have the whole header, drop packet. */\n> > \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n> > \tif (th == NULL)\n> > -- \n> > 2.53.0\n> >","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=DsE/l2xC;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12091-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"DsE/l2xC\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzyWx0ZmXz1yHB\n\tfor ; Tue, 21 Apr 2026 06:58:53 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 41625300C006\n\tfor ; Mon, 20 Apr 2026 20:58:35 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A54E439D6ED;\n\tMon, 20 Apr 2026 20:58:33 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7840138229E\n\tfor ; Mon, 20 Apr 2026 20:58:31 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 9968960178;\n\tMon, 20 Apr 2026 22:58:29 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776718713; cv=none;\n b=Lah9EJ7r1eJEPvt42NSFI+idFkUWTpHBNmOFBkw2L5CKKmX6ykGKsSYsA1X464X/jEcx+gGR7YV83RQpieV+jjn5Bz+CMO4OVxBSgYs6021fVcgLPpjAEGrV853lFw5x1abrQrUfWPUVV7SEJpdxSRfnnFVoRFksfF/QEySrEVc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776718713; c=relaxed/simple;\n\tbh=ffTjBHLema4zelTZXm7uA2ao9Fr8rKvhGyJOEuzOAIY=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=DIa4kRNMPRxkRaZ5bJ6yMg2SRshacvmoE75Wd33OokBnoQapi6F2q+pbNJUC3sSLu6R2oO6NRd6kH4dylm7dOqWA4HlKzDhz6G7WiI9SNounSSYHlO8AcklUjlPs6Su46hCIMoyQQcMGkqhd9cMOz8xIW/TtGykBSRv/nry2F8Y=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=DsE/l2xC; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776718709;\n\tbh=++5aweUj5nrfUdk3DPaIqlUYm3UR2MB7HRq2Rqe3VjQ=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=DsE/l2xCXmfq1ElNvc6LAAEk83c8ReLJa9Y4fgFbpnDP6kyP2TKfVqWLAvI9a0AdO\n\t UuTrt8nG287uK7qOQkPJRpj0Z5hh5vN/0xeLwAqUkqkiQTH8XElMAuFnKB6RjfWC09\n\t wFi++B8STo0Qf8IuXEmDkILwYm9qCtNMXvkJ0Ypw8IbGc0WytVsd+sKo5kON1MnJLR\n\t 4mKHvmDqfCb49YeDCvUDMDpNTEHFRRfgGyCXUZzDI17F5UzBvDiH49blaDKIevkLrT\n\t i9KpADHnsHx+Oy+1lkNJr3iZXzyvyHDZyS7ZZbM+U39CZ9hF+1Tzxud3RFgVwJ+54Q\n\t cqdHiP8HfL6vw==","Date":"Mon, 20 Apr 2026 22:58:26 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tecklm94@gmail.com, phil@nwl.cc, fw@strlen.de","Subject":"Re: [PATCH 2/2 nf v2] netfilter: xtables: fix L4 header parsing for\n non-first fragments","Message-ID":"","References":"<20260420104745.10338-1-fmancera@suse.de>\n <20260420104745.10338-2-fmancera@suse.de>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}},{"id":3679603,"web_url":"http://patchwork.ozlabs.org/comment/3679603/","msgid":"<44c867f4-a9f7-4ca2-8c4e-ba13a5353815@suse.de>","list_archive_url":null,"date":"2026-04-20T21:08:14","subject":"Re: [PATCH 2/2 nf v2] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"Hi Pablo,\n\nOn 4/20/26 10:58 PM, Pablo Neira Ayuso wrote:\n> On Mon, Apr 20, 2026 at 10:45:41PM +0200, Pablo Neira Ayuso wrote:\n>> Hi Fernando,\n>>\n>> On Mon, Apr 20, 2026 at 12:47:45PM +0200, Fernando Fernandez Mancera wrote:\n>>> diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c\n>>> index 76e01f292aaf..d366e294f1aa 100644\n>>> --- a/net/netfilter/xt_socket.c\n>>> +++ b/net/netfilter/xt_socket.c\n>>> @@ -55,8 +55,11 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,\n>>> \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n>>> \t\tsk = NULL;\n>>> \n>>> -\tif (!sk)\n>>> +\tif (!sk) {\n>>> +\t\tif (par->fragoff)\n>>> +\t\t\treturn false;\n>>> \t\tsk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par));\n>>> +\t}\n>>> \n>>> \tif (sk) {\n>>> \t\tbool wildcard;\n>>> @@ -116,8 +119,11 @@ socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)\n>>> \tif (sk && !net_eq(xt_net(par), sock_net(sk)))\n>>> \t\tsk = NULL;\n>>> \n>>> -\tif (!sk)\n>>> +\tif (!sk) {\n>>> +\t\tif (par->fragoff)\n>>> +\t\t\treturn false;\n>>\n>> Your patch will work as intented in iptables over nf_tables, because\n>> it always sets on fragoff regardless user policy.\n>>\n>> But, if ipv6_find_hdr() finds no layer 4 protocol, then fragoff\n>> remains zero, and pkt->flags does not set on NFT_PKTINFO_L4PROTO.\n>> There, in nftables, par->fragoff but itself is not reliable because\n>> maybe the layer 4 was not found.\n> \n> This is where pkt->tprot comes into play. I think this series is fine\n> with nf_tables, it is just ip6_tables legacy that lags behind.\n> \n\nHm, I didn't know this. Thanks for explaining. Then xt_socket is safe \nfor IPv6 as the code does:\n\n tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n if (tproto < 0) {\n pr_debug(\"unable to find transport header in IPv6 \npacket, dropping\\n\");\n return NULL;\n }\n\nat nf_socket_get_sock_v6()\n\nOkay, let me re-send adjusting the IPv6 part..\n\n>> Then, there is ip6_tables legacy which does not behave like ip_tables\n>> for fragments.\n>>\n>> ip6t_do_table() only sets fragoff if IP6T_F_PROTO (-p in userspace) is\n>> used, unlike nftables which always sets on fragoff.\n>>\n>> So par->fragoff is unreliable in ip6_tables legacy, and\n>> ipv6_find_hdr() is called over and over again ip6_packet_match() loop\n>> for each rule.\n>>\n>> One way would be to call ipv6_find_hdr() inconditionally from\n>> ip6_tables legacy, but that belongs to a different patch and that\n>> would be touch core ip6_tables legacy.\n>>\n>> Rewinding a bit, coming to back to the original issue: osf only\n>> supports ipv4 :-)\n>>\n\nRight, but we need to fix this everywhere not only in osf.\n\nThanks,\nFernando.\n\n>>> \t\tsk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par));\n>>> +\t}\n>>> \n>>> \tif (sk) {\n>>> \t\tbool wildcard;\n>>> diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\n>>> index 0d32d4841cb3..69844cc8dbb8 100644\n>>> --- a/net/netfilter/xt_tcpmss.c\n>>> +++ b/net/netfilter/xt_tcpmss.c\n>>> @@ -32,6 +32,9 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n>>> \tu8 _opt[15 * 4 - sizeof(_tcph)];\n>>> \tunsigned int i, optlen;\n>>> \n>>> +\tif (par->fragoff)\n>>> +\t\treturn false;\n>>> +\n>>> \t/* If we don't have the whole header, drop packet. */\n>>> \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n>>> \tif (th == NULL)\n>>> -- \n>>> 2.53.0\n>>>\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=oXlmcrPh;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=vIwgJe1k;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=oXlmcrPh;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=vIwgJe1k;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12092-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"oXlmcrPh\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"vIwgJe1k\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"oXlmcrPh\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"vIwgJe1k\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tnone"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzykz3cVqz1yCv\n\tfor ; Tue, 21 Apr 2026 07:08:27 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 4F382300C312\n\tfor ; Mon, 20 Apr 2026 21:08:24 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 2DF2739F196;\n\tMon, 20 Apr 2026 21:08:23 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 65C43946C\n\tfor ; Mon, 20 Apr 2026 21:08:21 +0000 (UTC)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 726FE6A7D5;\n\tMon, 20 Apr 2026 21:08:19 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 1C023593AE;\n\tMon, 20 Apr 2026 21:08:19 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid SdUWBMOV5ml7ZQAAD6G6ig\n\t(envelope-from ); Mon, 20 Apr 2026 21:08:19 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776719302; cv=none;\n b=bN5p8j35Y+cc+msEIm+xLwdbJo4QvxC3YSyLHKwgwGWAICO8BTJcOcrKGEiKN/G5Iw9f7PoFCXLaCXaEtcTHd+Wzqh/nxvzXQlDuV+ZeqXlZc/VX1Zn1Qt9dKWFSnYYKD3OTYbegef5St4WwzIrxtGfqCekFhQ770FWfHi/VvFw=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776719302; c=relaxed/simple;\n\tbh=eiig7UqC7KYu9Rke6U1ChITvIvOG/LCyJoCC3uipSys=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=Osf0jZ3LJaAglbyRz9TnCxK8Cx/wvuNDRU7codt9GyZjzOJCrJv1ZIGvn3cS48iQPeUvv3+MT5/sOn61iC+RMRF1woL+svbMEsbunQaCiZ9YJgaXU+pOlA8XKOHWinJaZEdGEi86HU52hVLYR3ZH1PNgNgI/5MGpm2MGGFef9m4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=oXlmcrPh;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=vIwgJe1k;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=oXlmcrPh;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=vIwgJe1k; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776719299;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=jilQR9GE8PoSmPRNaPz/68BpmSh+Xm9AVr4GLf+/mms=;\n\tb=oXlmcrPhwPIZZDVN4L6TDPVYorvQ8p+AEAQ/qXh0o3K0yBZ30a9HOTcU4dpMmzj4CBR6Kt\n\tLq4ZcbUwq1FzwRtmkx+NjRK+6ncCbaoCk4P2NvXr4xPRijWJBB1SAFwHbTm2B4yKtT9pvA\n\tgmnor4clBqgySs9p0QNz+7+qDxHDjZM=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776719299;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=jilQR9GE8PoSmPRNaPz/68BpmSh+Xm9AVr4GLf+/mms=;\n\tb=vIwgJe1kKkMK5D82jCeLr2/136AQgXcyLB3hU6jMKF1Yu9mLumHQ7xhhjDwo0c4Xr6NbbI\n\tdTLlEbjpXy9wHZAA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776719299;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=jilQR9GE8PoSmPRNaPz/68BpmSh+Xm9AVr4GLf+/mms=;\n\tb=oXlmcrPhwPIZZDVN4L6TDPVYorvQ8p+AEAQ/qXh0o3K0yBZ30a9HOTcU4dpMmzj4CBR6Kt\n\tLq4ZcbUwq1FzwRtmkx+NjRK+6ncCbaoCk4P2NvXr4xPRijWJBB1SAFwHbTm2B4yKtT9pvA\n\tgmnor4clBqgySs9p0QNz+7+qDxHDjZM=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776719299;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=jilQR9GE8PoSmPRNaPz/68BpmSh+Xm9AVr4GLf+/mms=;\n\tb=vIwgJe1kKkMK5D82jCeLr2/136AQgXcyLB3hU6jMKF1Yu9mLumHQ7xhhjDwo0c4Xr6NbbI\n\tdTLlEbjpXy9wHZAA=="],"Message-ID":"<44c867f4-a9f7-4ca2-8c4e-ba13a5353815@suse.de>","Date":"Mon, 20 Apr 2026 23:08:14 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 2/2 nf v2] netfilter: xtables: fix L4 header parsing for\n non-first fragments","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n ecklm94@gmail.com, phil@nwl.cc, fw@strlen.de","References":"<20260420104745.10338-1-fmancera@suse.de>\n <20260420104745.10338-2-fmancera@suse.de> \n ","Content-Language":"en-US","From":"Fernando Fernandez Mancera ","In-Reply-To":"","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spamd-Result":"default: False [-4.30 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tARC_NA(0.00)[];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tMIME_TRACE(0.00)[0:+];\n\tTO_DN_SOME(0.00)[];\n\tRCVD_TLS_ALL(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFROM_HAS_DN(0.00)[];\n\tFREEMAIL_CC(0.00)[vger.kernel.org,netfilter.org,gmail.com,nwl.cc,strlen.de];\n\tRCPT_COUNT_FIVE(0.00)[6];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:mid,imap1.dmz-prg2.suse.org:helo]","X-Spam-Flag":"NO","X-Spam-Score":"-4.30","X-Spam-Level":""}}]