[{"id":3680343,"web_url":"http://patchwork.ozlabs.org/comment/3680343/","msgid":"<aeiOCgzW7TNmPxuu@chamomile>","list_archive_url":null,"date":"2026-04-22T08:59:54","subject":"Re: [PATCH nf,v5] netfilter: arp_tables: fix IEEE1394 ARP payload\n parsing","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi Florian,\n\nI am tossing this approach and getting back to the approach that\nchecks skb->dev, arp_process comes _after_ NF_HOOK_ARP_IN.\n\nOn Tue, Apr 21, 2026 at 08:35:14PM +0200, Pablo Neira Ayuso wrote:\n> Weiming Shi says:\n> \n> \"arp_packet_match() unconditionally parses the ARP payload assuming two\n> hardware addresses are present (source and target). However,\n> IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\n> field, and arp_hdr_len() already accounts for this by returning a\n> shorter length for ARPHRD_IEEE1394 devices.\n> \n> As a result, on IEEE1394 interfaces arp_packet_match() advances past a\n> nonexistent target hardware address and reads the wrong bytes for both\n> the target device address comparison and the target IP address. This\n> causes arptables rules to match against garbage data, leading to\n> incorrect filtering decisions: packets that should be accepted may be\n> dropped and vice versa.\n> \n> The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\n> handles this correctly by skipping the target hardware address for\n> ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"\n> \n> This patch always returns 0 (no match) in case user matches on the target\n> hardware address which is never present in IEEE1394.\n> \n> Note that this returns 0 (no match) for either normal and inverse match\n> because matching in the target hardware address in ARPHRD_IEEE1394 has\n> never been supported by arptables. This is intentional, matching on the\n> target hardware address should never evaluate true for ARPHRD_IEEE1394.\n> \n> Moreover, adjust arpt_mangle to drop the packet if user tries to mangle\n> target hardware and IP address in IEEE1394, this has never been\n> supported.\n> \n> Fixes: 6752c8db8e0c (\"firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.\")\n> Reported-by: Xiang Mei <xmei5@asu.edu>\n> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n> ---\n> v5: check for arphdr->ar_hrd == htons(ARPHRD_IEEE1394) in\n>     arp_packet_match() too.\n> \n>  net/ipv4/netfilter/arp_tables.c  | 19 ++++++++++++++++---\n>  net/ipv4/netfilter/arpt_mangle.c |  8 ++++++++\n>  2 files changed, 24 insertions(+), 3 deletions(-)\n> \n> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c\n> index 1cdd9c28ab2d..e4b2106d0456 100644\n> --- a/net/ipv4/netfilter/arp_tables.c\n> +++ b/net/ipv4/netfilter/arp_tables.c\n> @@ -110,13 +110,26 @@ static inline int arp_packet_match(const struct arphdr *arphdr,\n>  \tarpptr += dev->addr_len;\n>  \tmemcpy(&src_ipaddr, arpptr, sizeof(u32));\n>  \tarpptr += sizeof(u32);\n> -\ttgt_devaddr = arpptr;\n> -\tarpptr += dev->addr_len;\n> +\n> +\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n> +\t    arphdr->ar_hrd == htons(ARPHRD_IEEE1394)) {\n> +\t\tif (unlikely(memchr_inv(arpinfo->tgt_devaddr.mask, 0,\n> +\t\t\t\t\tsizeof(arpinfo->tgt_devaddr.mask))))\n> +\t\t\treturn 0;\n> +\n> +\t\ttgt_devaddr = NULL;\n> +\t} else {\n> +\t\ttgt_devaddr = arpptr;\n> +\t\tarpptr += dev->addr_len;\n> +\t}\n>  \tmemcpy(&tgt_ipaddr, arpptr, sizeof(u32));\n>  \n>  \tif (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,\n>  \t\t    arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,\n> -\t\t\t\t\tdev->addr_len)) ||\n> +\t\t\t\t\tdev->addr_len)))\n> +\t\treturn 0;\n> +\n> +\tif (tgt_devaddr &&\n>  \t    NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,\n>  \t\t    arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,\n>  \t\t\t\t\tdev->addr_len)))\n> diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c\n> index a4e07e5e9c11..285b1123b05c 100644\n> --- a/net/ipv4/netfilter/arpt_mangle.c\n> +++ b/net/ipv4/netfilter/arpt_mangle.c\n> @@ -40,6 +40,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)\n>  \t}\n>  \tarpptr += pln;\n>  \tif (mangle->flags & ARPT_MANGLE_TDEV) {\n> +\t\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n> +\t\t    arp->ar_hrd == htons(ARPHRD_IEEE1394))\n> +\t\t\treturn NF_DROP;\n> +\n>  \t\tif (ARPT_DEV_ADDR_LEN_MAX < hln ||\n>  \t\t   (arpptr + hln > skb_tail_pointer(skb)))\n>  \t\t\treturn NF_DROP;\n> @@ -47,6 +51,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)\n>  \t}\n>  \tarpptr += hln;\n>  \tif (mangle->flags & ARPT_MANGLE_TIP) {\n> +\t\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n> +\t\t    arp->ar_hrd == htons(ARPHRD_IEEE1394))\n> +\t\t\treturn NF_DROP;\n> +\n>  \t\tif (ARPT_MANGLE_ADDR_LEN_MAX < pln ||\n>  \t\t   (arpptr + pln > skb_tail_pointer(skb)))\n>  \t\t\treturn NF_DROP;\n> -- \n> 2.47.3\n> \n>","headers":{"Return-Path":"\n <netfilter-devel+bounces-12122-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=eaDCipqC;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12122-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"eaDCipqC\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0tW92W1Mz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 19:01:25 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 08669300D87F\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 09:00:11 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 67E6B38839F;\n\tWed, 22 Apr 2026 09:00:10 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 80AB03C1405\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 22 Apr 2026 09:00:01 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 8D34260177;\n\tWed, 22 Apr 2026 10:59:57 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776848409; cv=none;\n b=pO/EsB7cELrg91AoEu2US1J7rw17S2iWSDd7r0CQ024uW+MxAkctNDsKwitxtqZ8nT7OGsb+iiUCoJNuru2DJ8mGu52myLZufwd6GCYTOLX4uM/+1zvwL2FHCftcm+8OrhRq1KLm09L0LxWfUL9Hdx7+PymDgii/KCCidxfmnw0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776848409; c=relaxed/simple;\n\tbh=e8FfjPvDUMpjYs215Bq/UmToDPd8RGJCx8KlXQaHi7Q=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=jwO2rl1wAhSyahHDMuQ+lK8LrDFI2Yj2RFTIbc0MHmAO9+Iey2xlMkspBWgbSl4qNXQQZ0+pXWJlVryXfZG5biWWuHGyi3lg/rCkH6AaJBsL1BGmYbbuafPIC/Dw+/J1E0QbCtBF/bXG0zqzcvoOednaVGDuT0m35Gshg9wjGeA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=eaDCipqC; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776848397;\n\tbh=Ozh6r6gICyqezpf591VaMMa4qWTJ0VNZgbHYrO9ZQqs=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=eaDCipqCVMX/tv9G4Ul8P4lVIP9aMMI6OPj9Q38bhOJVNdhXPk9lrENSnJvpq3tfO\n\t jBzxaykgjwusT91KGVx8m3IW8KzX/zjuOoZ0lJd3015Kc9hkxlEmBclWE/2fwVWxll\n\t oHsQruClUnThx55kxIir4+sHoTlpXNgSvW8IOgLzj2fxeEiWZ0iedGST0fbn/N9F7R\n\t CZZRBr4EHi0JSf+ZPG9XB92BBzzHwEMnLRomnnswJ71ZelqPolgRXFNo7xMYCpjWQ8\n\t pbsGPZvaO76gQld9x3WO1ug+JArLhkbH1IlO88YU9yl3su7nmuhB8t5I8YNG8VlYgh\n\t ZyzwaIjxabBvA==","Date":"Wed, 22 Apr 2026 10:59:54 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"netfilter-devel@vger.kernel.org","Cc":"fw@strlen.de","Subject":"Re: [PATCH nf,v5] netfilter: arp_tables: fix IEEE1394 ARP payload\n parsing","Message-ID":"<aeiOCgzW7TNmPxuu@chamomile>","References":"<20260421183514.167201-1-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260421183514.167201-1-pablo@netfilter.org>"}}]