[{"id":3681992,"web_url":"http://patchwork.ozlabs.org/comment/3681992/","msgid":"","list_archive_url":null,"date":"2026-04-24T11:38:46","subject":"Re: [PATCH 3/3 nf v3] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Tue, Apr 21, 2026 at 12:44:09PM +0200, Fernando Fernandez Mancera wrote:\n> Multiple targets and matches relies on L4 header to operate. For\n> fragmented packets, every fragment carries the transport protocol\n> identifier, but only the first fragment contains the L4 header.\n> \n> As the 'raw' table can be configured to run at priority -450 (before\n> defragmentation at -400), the target/match can be reached before\n> reassembly. In this case, non-first fragments have their payload\n> incorrectly parsed as a TCP/UDP header. This would be of course a\n> misconfiguration scenario. In most of the cases this just lead to a\n> unreliable behavior for fragmented traffic.\n> \n> Add a fragment check to ensure target/match only evaluates unfragmented\n> packets or the first fragment in the stream.\n\nAI reports xt_hashlimit could be a good candidate to check for\nfragoff, I think it is, so I would suggest to expand it there to cover\nthis.\n\nIt also mentions synproxy as another candidate but IPv6 synproxy does\nnot do ipv6_find_hdr() on purpose I think (it assumed nexthdr is TCP)\nfor SYN and ACK packets, so checking for fragoff there is not\npossible. Given this is to deal with flood, I think think it is worth\nthe fragoff validation.\n\n> Fixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\n> Signed-off-by: Fernando Fernandez Mancera \n> ---\n> v2: handled ecn, socket and tcpmss matches\n> v3: extracted socket to its own patch with a generic solution for\n> nft/xt, added a comment specifying that par->fragoff is fine for\n> ecn/tcpmss ipv6 as they enforce -p tcp. Keep on mind that osf only\n> supports ipv4.\n> ---\n> net/netfilter/xt_TPROXY.c | 11 +++++++++--\n> net/netfilter/xt_ecn.c | 4 ++++\n> net/netfilter/xt_osf.c | 3 +++\n> net/netfilter/xt_tcpmss.c | 4 ++++\n> 4 files changed, 20 insertions(+), 2 deletions(-)\n> \n> diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c\n> index e4bea1d346cf..5f60e7298a1e 100644\n> --- a/net/netfilter/xt_TPROXY.c\n> +++ b/net/netfilter/xt_TPROXY.c\n> @@ -86,6 +86,9 @@ tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)\n> {\n> \tconst struct xt_tproxy_target_info *tgi = par->targinfo;\n> \n> +\tif (par->fragoff)\n> +\t\treturn NF_DROP;\n> +\n> \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,\n> \t\t\t tgi->mark_mask, tgi->mark_value);\n> }\n> @@ -95,6 +98,9 @@ tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)\n> {\n> \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n> \n> +\tif (par->fragoff)\n> +\t\treturn NF_DROP;\n> +\n> \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,\n> \t\t\t tgi->mark_mask, tgi->mark_value);\n> }\n> @@ -106,6 +112,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n> {\n> \tconst struct ipv6hdr *iph = ipv6_hdr(skb);\n> \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n> +\tunsigned short fragoff = 0;\n> \tstruct udphdr _hdr, *hp;\n> \tstruct sock *sk;\n> \tconst struct in6_addr *laddr;\n> @@ -113,8 +120,8 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n> \tint thoff = 0;\n> \tint tproto;\n> \n> -\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n> -\tif (tproto < 0)\n> +\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n> +\tif (tproto < 0 || fragoff)\n> \t\treturn NF_DROP;\n> \n> \thp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);\n> diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c\n> index b96e8203ac54..a8503f5d26bf 100644\n> --- a/net/netfilter/xt_ecn.c\n> +++ b/net/netfilter/xt_ecn.c\n> @@ -30,6 +30,10 @@ static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)\n> \tstruct tcphdr _tcph;\n> \tconst struct tcphdr *th;\n> \n> +\t/* this is fine for IPv6 as ecn_mt_check6() enforces -p tcp */\n> +\tif (par->fragoff)\n> +\t\treturn false;\n> +\n> \t/* In practice, TCP match does this, so can't fail. But let's\n> \t * be good citizens.\n> \t */\n> diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c\n> index dc9485854002..e8807caede68 100644\n> --- a/net/netfilter/xt_osf.c\n> +++ b/net/netfilter/xt_osf.c\n> @@ -27,6 +27,9 @@\n> static bool\n> xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)\n> {\n> +\tif (p->fragoff)\n> +\t\treturn false;\n> +\n> \treturn nf_osf_match(skb, xt_family(p), xt_hooknum(p), xt_in(p),\n> \t\t\t xt_out(p), p->matchinfo, xt_net(p), nf_osf_fingers);\n> }\n> diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\n> index 0d32d4841cb3..b9da8269161d 100644\n> --- a/net/netfilter/xt_tcpmss.c\n> +++ b/net/netfilter/xt_tcpmss.c\n> @@ -32,6 +32,10 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n> \tu8 _opt[15 * 4 - sizeof(_tcph)];\n> \tunsigned int i, optlen;\n> \n> +\t/* this is fine for IPv6 as xt_tcpmss enforces -p tcp */\n> +\tif (par->fragoff)\n> +\t\treturn false;\n> +\n> \t/* If we don't have the whole header, drop packet. */\n> \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n> \tif (th == NULL)\n> -- \n> 2.53.0\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=ulw5rn4o;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12175-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"ulw5rn4o\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g29w445mtz1yD5\n\tfor ; Fri, 24 Apr 2026 21:39:00 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id ABD2430058C1\n\tfor ; Fri, 24 Apr 2026 11:38:57 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 58C603BE629;\n\tFri, 24 Apr 2026 11:38:54 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FA0135AC16\n\tfor ; Fri, 24 Apr 2026 11:38:51 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 40544600B5;\n\tFri, 24 Apr 2026 13:38:49 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777030733; cv=none;\n b=pCPkr3UVooou8yGbvN0Xbv3jpKSYNIu29YU5K9RxVMJCqpc4YcNm6ijdJ5+J+S/xU4hoq+viSmdsGA2Xp8rxqT69yASzzWJiYINPAsrvdX2YDC0aKVKb2TgazkkoEZJI+Tp13RFXjgzyQBGx/cx5VXXX2i09TNjdZ9d+f8LAScw=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777030733; c=relaxed/simple;\n\tbh=dd4VSX8zN52gWvtHxal+e9AJtvMRezMoRnA98S+0Rx4=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=JaFoOAseClA8q+0t/5vd7tBnb50T5EXy32sul9hGYRt1OVYCjdPnp925aQ3kCd/GN9Vz1UIJ8o0YXMW70UlIpFzjpZwUskHWSR/YXDfhv8G2I7bZHQfxxUvgpPCU48YqIoZIjAjgY9NFpuh4c4kDXHNKpS/c41PkTTba5WV5bns=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=ulw5rn4o; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777030729;\n\tbh=FGkeGAy5imd3I5zZvlJxVTBProSb0PFCXfGkXsDPKdc=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=ulw5rn4ojgNTyTqyZpglgrDew2kggqrtTFNb+cv9Pq5GhCHYAQKloO8Qr4WiPS3So\n\t 2kzIbNg7Q89ojijoaLJrCs42RQlJ5nKAv+MpkZB1UnPPMEicMbt0SpmFNQGAU7Vo2f\n\t CIhLZeDb8pjVyQz5YOQx0JtkMjo1LImOJ3jzpBVChUShwEJ5sc9svjWCwtDMxgdtVo\n\t OvVDK0pVaIV50JJJqgFX+KOhRbMwQ3WEnJ4As4TwVfpWssLKvXYvFmWiNp+0kHO5ix\n\t z9cU9/XHoqKfUOl0dWSpofu9yLCfks1v7bzrlfHDaUjNYZTX8uSuZxkncMjbP0wQbm\n\t Y0+uFQNSwCuqg==","Date":"Fri, 24 Apr 2026 13:38:46 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tecklm94@gmail.com, phil@nwl.cc, fw@strlen.de","Subject":"Re: [PATCH 3/3 nf v3] netfilter: xtables: fix L4 header parsing for\n non-first fragments","Message-ID":"","References":"<20260421104409.5452-1-fmancera@suse.de>\n <20260421104409.5452-3-fmancera@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260421104409.5452-3-fmancera@suse.de>"}},{"id":3682058,"web_url":"http://patchwork.ozlabs.org/comment/3682058/","msgid":"<463e0514-686b-4680-8d84-7cda0dbba121@suse.de>","list_archive_url":null,"date":"2026-04-24T14:33:56","subject":"Re: [PATCH 3/3 nf v3] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"On 4/24/26 1:38 PM, Pablo Neira Ayuso wrote:\n> On Tue, Apr 21, 2026 at 12:44:09PM +0200, Fernando Fernandez Mancera wrote:\n>> Multiple targets and matches relies on L4 header to operate. For\n>> fragmented packets, every fragment carries the transport protocol\n>> identifier, but only the first fragment contains the L4 header.\n>>\n>> As the 'raw' table can be configured to run at priority -450 (before\n>> defragmentation at -400), the target/match can be reached before\n>> reassembly. In this case, non-first fragments have their payload\n>> incorrectly parsed as a TCP/UDP header. This would be of course a\n>> misconfiguration scenario. In most of the cases this just lead to a\n>> unreliable behavior for fragmented traffic.\n>>\n>> Add a fragment check to ensure target/match only evaluates unfragmented\n>> packets or the first fragment in the stream.\n> \n\nHi Pablo,\n\n> AI reports xt_hashlimit could be a good candidate to check for\n> fragoff, I think it is, so I would suggest to expand it there to cover\n> this.\n> \n\nThis seems like a good catch. I will work on this.\n\n> It also mentions synproxy as another candidate but IPv6 synproxy does\n> not do ipv6_find_hdr() on purpose I think (it assumed nexthdr is TCP)\n> for SYN and ACK packets, so checking for fragoff there is not\n> possible. Given this is to deal with flood, I think think it is worth\n> the fragoff validation.\n> \n\nI don't think it makes sense for SYNPROXY. SYNPROXY requires conntrack \nto work both ipt_SYNPROXY and nft_synproxy and only allows LOCAL_IN and \nFORWARD hooks so it should be fine AFAIU. I don't understand how someone \ncould skip defragmentation here.\n\nMaybe something extra to add to ipt_SYNPROXY is a restriction for TCP \nprotocol only. As the code currently assumes the transport layer is TCP \nwhich isn't enforced.\n\nBut that would be kind of a different fix. What do you think?\n\n>> Fixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\n>> Signed-off-by: Fernando Fernandez Mancera \n>> ---\n>> v2: handled ecn, socket and tcpmss matches\n>> v3: extracted socket to its own patch with a generic solution for\n>> nft/xt, added a comment specifying that par->fragoff is fine for\n>> ecn/tcpmss ipv6 as they enforce -p tcp. Keep on mind that osf only\n>> supports ipv4.\n>> ---\n>> net/netfilter/xt_TPROXY.c | 11 +++++++++--\n>> net/netfilter/xt_ecn.c | 4 ++++\n>> net/netfilter/xt_osf.c | 3 +++\n>> net/netfilter/xt_tcpmss.c | 4 ++++\n>> 4 files changed, 20 insertions(+), 2 deletions(-)\n>>\n>> diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c\n>> index e4bea1d346cf..5f60e7298a1e 100644\n>> --- a/net/netfilter/xt_TPROXY.c\n>> +++ b/net/netfilter/xt_TPROXY.c\n>> @@ -86,6 +86,9 @@ tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)\n>> {\n>> \tconst struct xt_tproxy_target_info *tgi = par->targinfo;\n>> \n>> +\tif (par->fragoff)\n>> +\t\treturn NF_DROP;\n>> +\n>> \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,\n>> \t\t\t tgi->mark_mask, tgi->mark_value);\n>> }\n>> @@ -95,6 +98,9 @@ tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)\n>> {\n>> \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n>> \n>> +\tif (par->fragoff)\n>> +\t\treturn NF_DROP;\n>> +\n>> \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,\n>> \t\t\t tgi->mark_mask, tgi->mark_value);\n>> }\n>> @@ -106,6 +112,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n>> {\n>> \tconst struct ipv6hdr *iph = ipv6_hdr(skb);\n>> \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n>> +\tunsigned short fragoff = 0;\n>> \tstruct udphdr _hdr, *hp;\n>> \tstruct sock *sk;\n>> \tconst struct in6_addr *laddr;\n>> @@ -113,8 +120,8 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n>> \tint thoff = 0;\n>> \tint tproto;\n>> \n>> -\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n>> -\tif (tproto < 0)\n>> +\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n>> +\tif (tproto < 0 || fragoff)\n>> \t\treturn NF_DROP;\n>> \n>> \thp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);\n>> diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c\n>> index b96e8203ac54..a8503f5d26bf 100644\n>> --- a/net/netfilter/xt_ecn.c\n>> +++ b/net/netfilter/xt_ecn.c\n>> @@ -30,6 +30,10 @@ static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)\n>> \tstruct tcphdr _tcph;\n>> \tconst struct tcphdr *th;\n>> \n>> +\t/* this is fine for IPv6 as ecn_mt_check6() enforces -p tcp */\n>> +\tif (par->fragoff)\n>> +\t\treturn false;\n>> +\n>> \t/* In practice, TCP match does this, so can't fail. But let's\n>> \t * be good citizens.\n>> \t */\n>> diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c\n>> index dc9485854002..e8807caede68 100644\n>> --- a/net/netfilter/xt_osf.c\n>> +++ b/net/netfilter/xt_osf.c\n>> @@ -27,6 +27,9 @@\n>> static bool\n>> xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)\n>> {\n>> +\tif (p->fragoff)\n>> +\t\treturn false;\n>> +\n>> \treturn nf_osf_match(skb, xt_family(p), xt_hooknum(p), xt_in(p),\n>> \t\t\t xt_out(p), p->matchinfo, xt_net(p), nf_osf_fingers);\n>> }\n>> diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\n>> index 0d32d4841cb3..b9da8269161d 100644\n>> --- a/net/netfilter/xt_tcpmss.c\n>> +++ b/net/netfilter/xt_tcpmss.c\n>> @@ -32,6 +32,10 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n>> \tu8 _opt[15 * 4 - sizeof(_tcph)];\n>> \tunsigned int i, optlen;\n>> \n>> +\t/* this is fine for IPv6 as xt_tcpmss enforces -p tcp */\n>> +\tif (par->fragoff)\n>> +\t\treturn false;\n>> +\n>> \t/* If we don't have the whole header, drop packet. */\n>> \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n>> \tif (th == NULL)\n>> -- \n>> 2.53.0\n>>\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=gLwxawha;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=LrDGhDy8;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=IVZVsz0g;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=DJpQNxRV;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12176-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"gLwxawha\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"LrDGhDy8\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"IVZVsz0g\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"DJpQNxRV\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=IVZVsz0g;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=DJpQNxRV"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2FsG13Htz1yD5\n\tfor ; Sat, 25 Apr 2026 00:36:50 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 340753011BC3\n\tfor ; Fri, 24 Apr 2026 14:34:23 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9DD373DD521;\n\tFri, 24 Apr 2026 14:34:22 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id C13DF3DD50C\n\tfor ; Fri, 24 Apr 2026 14:34:20 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 866AD6A843;\n\tFri, 24 Apr 2026 14:34:17 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 29AE5593A4;\n\tFri, 24 Apr 2026 14:34:17 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid YB0yB2l/62lleAAAD6G6ig\n\t(envelope-from ); Fri, 24 Apr 2026 14:34:17 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777041262; cv=none;\n b=Ry/eBAefkJbSluaXyamVKEhl8bQvZHuC8EW31VZat6wfyxPFGrGNWG3rgzFY9oeYkHuOE1OtOxkbCMWo4HCNhNzigm1ppHIeRNfhPKp4i8pfnto+JONxHJW6BUd4DO58Gm0Tmsn1RUcXFHzYaSAHEtaZ17eHKgARECSWLsFqAUk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777041262; c=relaxed/simple;\n\tbh=cjY/3NxjXZbrcDBXJpRluVXZQ08PC7LxJX6fMpp78C4=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=MPnBGi/XPVA4Ox330Pu7DQ3eOqh2CebNX6JteWE9bRYw6/k11vC6FoZlar2v5hZVA3UCTy8SpFBTgTcrRSMHurevtqjmLTKjvdN7DuO5qk+gNz1xsYbkTs3ZXIogDM2yONaEs+1ESg9WNzlk0NoctRQJWMDAK0qIQm1LppZX+/o=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=gLwxawha;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=LrDGhDy8;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=IVZVsz0g;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=DJpQNxRV; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777041258;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NbQ3pnTY1zwvePkYMdpCtWIXdwnra2zKnM4w3AL9+EU=;\n\tb=gLwxawhaUVjSxKdXKbyg2Tkf8eJ9E5pVyiRrrKTDhbnleZJXQ3uqVPHcxcaVdhmbjwiiat\n\tEDSQeEJMB802j3IDqKX2eTI3CLfJNqyf0nPIShdqhPGuZpbo60YqeFSMZ30co953CNMV9k\n\tQPNhTixW2V9pSyHStpW2mI6wlAs3s0I=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777041258;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NbQ3pnTY1zwvePkYMdpCtWIXdwnra2zKnM4w3AL9+EU=;\n\tb=LrDGhDy8FhOBvscjz9JTU0d5ozOMPeVZq94HM+OkweLHrMknvtrdfKTJKSm9P0fIcxRTBf\n\tb2YKDNaBNwTv1WBg==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777041257;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NbQ3pnTY1zwvePkYMdpCtWIXdwnra2zKnM4w3AL9+EU=;\n\tb=IVZVsz0gLjc5lqIa15727VI0azIOjBwGeQq2nUl1KrLslyFC2ORbWH6a3GvjwcuCIjjxkB\n\tzdKPmvksqQ5ySESBDlp1raROOa4lazQJYATd6x9ry6fp/ZaVhxqW8MZAaBOa6iMepCTHud\n\t4O1YMY5rDW1JWo8dHfe+Wu3RE79HSvA=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777041257;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NbQ3pnTY1zwvePkYMdpCtWIXdwnra2zKnM4w3AL9+EU=;\n\tb=DJpQNxRVPah2spx631Eozqh9l/YZ/lpv9bveI1gkVAISrZg/sSw1in1jeP2X+/7Ty4V7Ie\n\tWRmFyslvJhx04GCA=="],"Message-ID":"<463e0514-686b-4680-8d84-7cda0dbba121@suse.de>","Date":"Fri, 24 Apr 2026 16:33:56 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 3/3 nf v3] netfilter: xtables: fix L4 header parsing for\n non-first fragments","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n ecklm94@gmail.com, phil@nwl.cc, fw@strlen.de","References":"<20260421104409.5452-1-fmancera@suse.de>\n <20260421104409.5452-3-fmancera@suse.de> ","Content-Language":"en-US","From":"Fernando Fernandez Mancera ","In-Reply-To":"","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spamd-Result":"default: False [-5.51 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tDWL_DNSWL_LOW(-1.00)[suse.de:dkim];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tARC_NA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tTO_DN_SOME(0.00)[];\n\tRCVD_TLS_ALL(0.00)[];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tFREEMAIL_CC(0.00)[vger.kernel.org,netfilter.org,gmail.com,nwl.cc,strlen.de];\n\tRCPT_COUNT_FIVE(0.00)[6];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:mid,suse.de:dkim,suse.de:email];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tDKIM_TRACE(0.00)[suse.de:+]","X-Rspamd-Action":"no action","X-Spam-Flag":"NO","X-Spam-Score":"-5.51","X-Spam-Level":"","X-Rspamd-Server":"rspamd1.dmz-prg2.suse.org","X-Rspamd-Queue-Id":"866AD6A843"}}]