[{"id":3679831,"web_url":"http://patchwork.ozlabs.org/comment/3679831/","msgid":"","list_archive_url":null,"date":"2026-04-21T11:33:59","subject":"Re: [PATCH 1/3 nf v3] netfilter: nf_socket: skip socket lookup for\n non-first fragments","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi Fernando,\n\nThis series LGTM, it is addressing the issues we have discussed.\n\nOn Tue, Apr 21, 2026 at 12:44:07PM +0200, Fernando Fernandez Mancera wrote:\n> Both nft_socket and xt_socket relies on L4 headers to perform socket\n> lookup in the slow path. For fragmented packets, while the IP protocol\n> remains constant across all fragments, only the first fragment contains\n> the actual L4 header.\n> \n> As the expression/match could be attached to a chain with a priority\n> lower than -400, it could bypass defragmentation.\n> \n> Add a check for fragmentation in the lookup functions directly so the\n> problem is handled for both nft_socket and xt_socket at the same time.\n> In addition, future users of the functions would not need to care about\n> this.\n> \n> Fixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\n> Fixes: 554ced0a6e29 (\"netfilter: nf_tables: add support for native socket matching\")\n> Signed-off-by: Fernando Fernandez Mancera \n> ---\n> v3: added this patch to the series, I splitted this as the fix is\n> generic for both nft_socket and xt_socket\n> ---\n> net/ipv4/netfilter/nf_socket_ipv4.c | 3 +++\n> net/ipv6/netfilter/nf_socket_ipv6.c | 5 +++--\n> 2 files changed, 6 insertions(+), 2 deletions(-)\n> \n> diff --git a/net/ipv4/netfilter/nf_socket_ipv4.c b/net/ipv4/netfilter/nf_socket_ipv4.c\n> index 5080fa5fbf6a..f9c6755f5ec5 100644\n> --- a/net/ipv4/netfilter/nf_socket_ipv4.c\n> +++ b/net/ipv4/netfilter/nf_socket_ipv4.c\n> @@ -94,6 +94,9 @@ struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,\n> #endif\n> \tint doff = 0;\n> \n> +\tif (ntohs(iph->frag_off) & IP_OFFSET)\n> +\t\treturn NULL;\n> +\n> \tif (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) {\n> \t\tstruct tcphdr _hdr;\n> \t\tstruct udphdr *hp;\n> diff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c\n> index ced8bd44828e..893f2aeb4711 100644\n> --- a/net/ipv6/netfilter/nf_socket_ipv6.c\n> +++ b/net/ipv6/netfilter/nf_socket_ipv6.c\n> @@ -100,6 +100,7 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n> \tconst struct in6_addr *daddr = NULL, *saddr = NULL;\n> \tstruct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var;\n> \tstruct sk_buff *data_skb = NULL;\n> +\tunsigned short fragoff = 0;\n> \tint doff = 0;\n> \tint thoff = 0, tproto;\n> #if IS_ENABLED(CONFIG_NF_CONNTRACK)\n> @@ -107,8 +108,8 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n> \tstruct nf_conn const *ct;\n> #endif\n> \n> -\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n> -\tif (tproto < 0) {\n> +\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n> +\tif (tproto < 0 || fragoff) {\n> \t\tpr_debug(\"unable to find transport header in IPv6 packet, dropping\\n\");\n> \t\treturn NULL;\n> \t}\n> -- \n> 2.53.0\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=V+4IexVD;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12107-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"V+4IexVD\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0L0P3N3pz1yCv\n\tfor ; Tue, 21 Apr 2026 21:36:21 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 096703032057\n\tfor ; Tue, 21 Apr 2026 11:34:08 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 822CC276049;\n\tTue, 21 Apr 2026 11:34:07 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E3CD13C9C4\n\tfor ; Tue, 21 Apr 2026 11:34:04 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 861AF600B5;\n\tTue, 21 Apr 2026 13:34:01 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776771247; cv=none;\n b=PS+Ex/1uPGPH9q7KH/V3vvkDpymjIZgn/hxunPR901anA5exyPFvzOyRbnkfzfODrkkW0pFfN0RnFGQIIIgux/Bz934ozbFl0f+WD2+6bnbyKSBR8F2BUB1RPOCh6tJn+VcnnuOeATzotLJCPz8oUHiIhckgyeUv3C5jtxukOls=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776771247; c=relaxed/simple;\n\tbh=R//aD4JBCG5/CKzF3i1JWr9u5wRZptYgd0gUB6/t3bM=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Ez+BAlww1D4YL2qXAYrQd5LG2txPiHVNgtEW0Hdgb7PotLT/p1UV+AfQPcaKS+VX1YZ1zjZpMtB4H5yeMi/o8IXOyHYmzpIp1ty2Q4uaUXdYw2PjeRBltr2RfIuq2mfpskZ/I9OwiQSaIgIrNwfo1TeSW4xy4ppsTur+790brmQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=V+4IexVD; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776771241;\n\tbh=Y/pAISxyUlnDvCdm5ugVNJQaLaiPtH5iFEXRITf6oyw=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=V+4IexVDcHLCXaMfHRnoKno3QDYpu3tMm/mYyDhtgUc03hX5edNq9BFbqCLpzFrD4\n\t cgiZiUia61taPgLxdmTf8bagxRdDpiyquRtKb72aC6e3Pz8R0yGolrLmIjIbLph2M1\n\t 5itOhCVBueid+utWvfI9Cc6Nt0gfyjUx19cjdIwptJ34jdut7HOFBbiMzZ9dFcW1wa\n\t esMBnqyF5D81WPmo2Z74Tx7f/DdszchOfOg+dmMdrTGzqD9NJJ5jH5EcTiZp5PdITY\n\t OF0V/M1C/778MIwFnti+On1GRxVYS96ut4eKccJB6DWxBsdNVVSk4BLM/G6gNA6MN+\n\t rbOPFjE+d0Zfg==","Date":"Tue, 21 Apr 2026 13:33:59 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tecklm94@gmail.com, phil@nwl.cc, fw@strlen.de","Subject":"Re: [PATCH 1/3 nf v3] netfilter: nf_socket: skip socket lookup for\n non-first fragments","Message-ID":"","References":"<20260421104409.5452-1-fmancera@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260421104409.5452-1-fmancera@suse.de>"}}]