[{"id":3682812,"web_url":"http://patchwork.ozlabs.org/comment/3682812/","msgid":"<ae-MRZ47QurmXY7z@chamomile>","list_archive_url":null,"date":"2026-04-27T16:18:13","subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi Fernando,\n\nOn Mon, Apr 27, 2026 at 01:27:20PM +0200, Fernando Fernandez Mancera wrote:\n> Multiple targets and matches relies on L4 header to operate. For\n> fragmented packets, every fragment carries the transport protocol\n> identifier, but only the first fragment contains the L4 header.\n> \n> As the 'raw' table can be configured to run at priority -450 (before\n> defragmentation at -400), the target/match can be reached before\n> reassembly. In this case, non-first fragments have their payload\n> incorrectly parsed as a TCP/UDP header. This would be of course a\n> misconfiguration scenario. In most of the cases this just lead to a\n> unreliable behavior for fragmented traffic.\n> \n> Add a fragment check to ensure target/match only evaluates unfragmented\n> packets or the first fragment in the stream.\n> \n> Fixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\n> Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n> ---\n> v2: handled ecn, socket and tcpmss matches\n> v3: extracted socket to its own patch with a generic solution for\n> nft/xt, added a comment specifying that par->fragoff is fine for\n> ecn/tcpmss ipv6 as they enforce -p tcp. Keep on mind that osf only\n> supports ipv4.\n> v4: handled xt_hashlimit too\n\nPlease, send a v5 including nft_payload_fast_eval():\n\ndiff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c\nindex 5ddd5b6e135f..8ab186f86dd4 100644\n--- a/net/netfilter/nf_tables_core.c\n+++ b/net/netfilter/nf_tables_core.c\n@@ -153,7 +153,7 @@ static bool nft_payload_fast_eval(const struct nft_expr *expr,\n        if (priv->base == NFT_PAYLOAD_NETWORK_HEADER)\n                ptr = skb_network_header(skb) + pkt->nhoff;\n        else {\n-               if (!(pkt->flags & NFT_PKTINFO_L4PROTO))\n+               if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)\n                        return false;\n                ptr = skb->data + nft_thoff(pkt);\n        }\n\n\nThanks.\n\n\n> ---\n>  net/netfilter/xt_TPROXY.c    | 11 +++++++++--\n>  net/netfilter/xt_ecn.c       |  4 ++++\n>  net/netfilter/xt_hashlimit.c |  4 +++-\n>  net/netfilter/xt_osf.c       |  3 +++\n>  net/netfilter/xt_tcpmss.c    |  4 ++++\n>  5 files changed, 23 insertions(+), 3 deletions(-)\n> \n> diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c\n> index e4bea1d346cf..5f60e7298a1e 100644\n> --- a/net/netfilter/xt_TPROXY.c\n> +++ b/net/netfilter/xt_TPROXY.c\n> @@ -86,6 +86,9 @@ tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)\n>  {\n>  \tconst struct xt_tproxy_target_info *tgi = par->targinfo;\n>  \n> +\tif (par->fragoff)\n> +\t\treturn NF_DROP;\n> +\n>  \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,\n>  \t\t\t  tgi->mark_mask, tgi->mark_value);\n>  }\n> @@ -95,6 +98,9 @@ tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)\n>  {\n>  \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n>  \n> +\tif (par->fragoff)\n> +\t\treturn NF_DROP;\n> +\n>  \treturn tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,\n>  \t\t\t  tgi->mark_mask, tgi->mark_value);\n>  }\n> @@ -106,6 +112,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n>  {\n>  \tconst struct ipv6hdr *iph = ipv6_hdr(skb);\n>  \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n> +\tunsigned short fragoff = 0;\n>  \tstruct udphdr _hdr, *hp;\n>  \tstruct sock *sk;\n>  \tconst struct in6_addr *laddr;\n> @@ -113,8 +120,8 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n>  \tint thoff = 0;\n>  \tint tproto;\n>  \n> -\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n> -\tif (tproto < 0)\n> +\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n> +\tif (tproto < 0 || fragoff)\n>  \t\treturn NF_DROP;\n>  \n>  \thp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);\n> diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c\n> index b96e8203ac54..a8503f5d26bf 100644\n> --- a/net/netfilter/xt_ecn.c\n> +++ b/net/netfilter/xt_ecn.c\n> @@ -30,6 +30,10 @@ static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)\n>  \tstruct tcphdr _tcph;\n>  \tconst struct tcphdr *th;\n>  \n> +\t/* this is fine for IPv6 as ecn_mt_check6() enforces -p tcp */\n> +\tif (par->fragoff)\n> +\t\treturn false;\n> +\n>  \t/* In practice, TCP match does this, so can't fail.  But let's\n>  \t * be good citizens.\n>  \t */\n> diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c\n> index 3bd127bfc114..2704b4b60d1e 100644\n> --- a/net/netfilter/xt_hashlimit.c\n> +++ b/net/netfilter/xt_hashlimit.c\n> @@ -658,6 +658,8 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,\n>  \t\tif (!(hinfo->cfg.mode &\n>  \t\t      (XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))\n>  \t\t\treturn 0;\n> +\t\tif (ntohs(ip_hdr(skb)->frag_off) & IP_OFFSET)\n> +\t\t\treturn -1;\n>  \t\tnexthdr = ip_hdr(skb)->protocol;\n>  \t\tbreak;\n>  #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)\n> @@ -681,7 +683,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,\n>  \t\t\treturn 0;\n>  \t\tnexthdr = ipv6_hdr(skb)->nexthdr;\n>  \t\tprotoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off);\n> -\t\tif ((int)protoff < 0)\n> +\t\tif ((int)protoff < 0 || ntohs(frag_off) & IP6_OFFSET)\n>  \t\t\treturn -1;\n>  \t\tbreak;\n>  \t}\n> diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c\n> index dc9485854002..e8807caede68 100644\n> --- a/net/netfilter/xt_osf.c\n> +++ b/net/netfilter/xt_osf.c\n> @@ -27,6 +27,9 @@\n>  static bool\n>  xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)\n>  {\n> +\tif (p->fragoff)\n> +\t\treturn false;\n> +\n>  \treturn nf_osf_match(skb, xt_family(p), xt_hooknum(p), xt_in(p),\n>  \t\t\t    xt_out(p), p->matchinfo, xt_net(p), nf_osf_fingers);\n>  }\n> diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c\n> index 0d32d4841cb3..b9da8269161d 100644\n> --- a/net/netfilter/xt_tcpmss.c\n> +++ b/net/netfilter/xt_tcpmss.c\n> @@ -32,6 +32,10 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)\n>  \tu8 _opt[15 * 4 - sizeof(_tcph)];\n>  \tunsigned int i, optlen;\n>  \n> +\t/* this is fine for IPv6 as xt_tcpmss enforces -p tcp */\n> +\tif (par->fragoff)\n> +\t\treturn false;\n> +\n>  \t/* If we don't have the whole header, drop packet. */\n>  \tth = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);\n>  \tif (th == NULL)\n> -- \n> 2.53.0\n> \n>","headers":{"Return-Path":"\n <netfilter-devel+bounces-12223-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=vw+7divw;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12223-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"vw+7divw\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g488L55H6z1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 02:26:26 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id D2D603078AC9\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 16:18:22 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C719034F24E;\n\tMon, 27 Apr 2026 16:18:21 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id E6E6E3469F4\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 27 Apr 2026 16:18:18 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 63E4D60178;\n\tMon, 27 Apr 2026 18:18:16 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777306701; cv=none;\n b=q9V8TTvDos4t2ouYb778Qpzis6qBIVjVB6FI/2B6/T4BaRN//hUFBWamGRe1gSiG7FiECMMmnpeXMLJ9MHKFLe80ElezJcuNL1vNLNGl+isnqGatiPg9kdGUq6RFIKb0djeYfzBIfqjqbcDhc9h8ewB9S7w3O2SeLUxLVM8TVZk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777306701; c=relaxed/simple;\n\tbh=Qqd0yG33obHfTMTkFErcSP2TYH7+3b0hXdl3KkB3QLI=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=gCcTqGsT4mJPNAfp1ma4FNaupUplIFnY5U235sam73boe4k36VCmPnJoGEsu6jkUIlFdRPInoznR8ZRDoZ/UhQ1qarYVuSEs+oyubtL5+EaPUpT1s0oucs5vf99NW8G9xHSmlhYyijtZCjtRWQBvj4irWL3yrv4fVb+pEOBxbpg=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=vw+7divw; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777306696;\n\tbh=Cq15HYyVZuFbBhsX0bzY1CnlFcZ2mTW9XZQSTCFuSyw=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=vw+7divwKt69k0WUBJXFUM4XcSMWgHW9luS0/vE4LMy92xuSQKzN/a5lIFZ8W3cdc\n\t ZFJLLZO6ED95mtMGIeXSVlWgDM3D8XJqHeKv5cU+sqWIvt/pEFiAhT6fc10bcq9GuA\n\t aMlPKVtQvY7LKvTk5Um/GZwNTTlLzfWN/TV2dnPO44D+RHAgHnwoYSUl++QhvX7Ss9\n\t 1yn/nm6YmlWhfcsD4gMHAmHZH7FynLqD+p/qxD3AWxeYh5kAq1OsAHMhl77vetbydo\n\t 7Y9zQe5V/fSMS42Ki6T5xi0AYV0PgChqAwmW6n/7NaMBnNOX7cJ9siS88FtLjOc5HY\n\t ajHguqgp3ZXDQ==","Date":"Mon, 27 Apr 2026 18:18:13 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Fernando Fernandez Mancera <fmancera@suse.de>","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org, phil@nwl.cc,\n\tfw@strlen.de","Subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","Message-ID":"<ae-MRZ47QurmXY7z@chamomile>","References":"<20260427112720.5128-1-fmancera@suse.de>\n <20260427112720.5128-3-fmancera@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260427112720.5128-3-fmancera@suse.de>"}},{"id":3682823,"web_url":"http://patchwork.ozlabs.org/comment/3682823/","msgid":"<ae-P4Sbl-0vpFrUY@strlen.de>","list_archive_url":null,"date":"2026-04-27T16:33:37","subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> -               if (!(pkt->flags & NFT_PKTINFO_L4PROTO))\n> +               if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)\n>                         return false;\n\nWhat is NFT_PKTINFO_L4PROTO supposed to mean?\nI thought it meant there is an l4 header but its set unconditionally\nfor ipv4.  Only the ipv6 handling makes sense to me.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12224-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12224-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g48K06Nbvz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 02:33:56 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id EFF8130028BA\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 16:33:53 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D2D67238178;\n\tMon, 27 Apr 2026 16:33:52 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id AE0CD2857C1\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 27 Apr 2026 16:33:50 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 1188060640; Mon, 27 Apr 2026 18:33:43 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777307632; cv=none;\n b=XfL3RGkRyBmu91yMck8eC/iZEZ0bAyaab/jXdNsdJB1vKWOo/CKwW8x7pzK8hEHUyCEkdfsHaJTD9+Xv0cFQQfYw2SHs4NldptYYXpnRvORhfR/Fl13rns2vC+ENzwgAo7fs1hN2DTxfcn1KtUxnqnxE5WT4E4HZzlMnZqHtalQ=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777307632; c=relaxed/simple;\n\tbh=Y3MlRHtbpbkQmiXyz86S3OC6LiU9FCiRrC794aO2ygI=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=pVI7P08gVgirhZU8XCLy5yayACFsCDdlzxnDQKZYOHS9vpLQjntjva1YOHYX/DxljzZK2clizFsga8nXTxrtC7T6YKenoavcEfx6S1gJMxrAmXpEjFK/AtlJhG/AZvaDE8dsuxJW9NllKSpryqIn8qNcu9bt9Vvmuvdu8UubyDs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Mon, 27 Apr 2026 18:33:37 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"Fernando Fernandez Mancera <fmancera@suse.de>,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tphil@nwl.cc","Subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","Message-ID":"<ae-P4Sbl-0vpFrUY@strlen.de>","References":"<20260427112720.5128-1-fmancera@suse.de>\n <20260427112720.5128-3-fmancera@suse.de>\n <ae-MRZ47QurmXY7z@chamomile>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<ae-MRZ47QurmXY7z@chamomile>"}},{"id":3682845,"web_url":"http://patchwork.ozlabs.org/comment/3682845/","msgid":"<ae-bk_I_8CZyg5qA@chamomile>","list_archive_url":null,"date":"2026-04-27T17:23:31","subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Apr 27, 2026 at 06:33:37PM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > -               if (!(pkt->flags & NFT_PKTINFO_L4PROTO))\n> > +               if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)\n> >                         return false;\n> \n> What is NFT_PKTINFO_L4PROTO supposed to mean?\n\n\"IP packet has been fully parsed\"\n\n> I thought it meant there is an l4 header but its set unconditionally\n> for ipv4.\n\nFlag name is a misleading.\n\nSee my recent comment in this function:\n\nstatic void nft_meta_pktinfo_may_update(struct nft_pktinfo *pkt)\n{                       \n        struct sk_buff *skb = pkt->skb;\n        struct vlan_ethhdr *veth;\n        __be16 ethertype;\n        int nhoff;\n                \n        /* Is this an IP packet? Then, skip. */\n        if (pkt->flags) \n                return;\n\n> Only the ipv6 handling makes sense to me.\n\nMaybe a helper function can be added, eg. nft_ip() then this flag can\nbe renamed.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12227-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=H9y9IaK6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12227-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"H9y9IaK6\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g49Xk2Bx3z1yHX\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 03:29:10 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id AA8593028F54\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 17:23:38 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id E68B1359A65;\n\tMon, 27 Apr 2026 17:23:37 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 154BF3DCD8E\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 27 Apr 2026 17:23:35 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 1639B60181;\n\tMon, 27 Apr 2026 19:23:34 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777310617; cv=none;\n b=u0Shr9c9UCCCc/b22Fxp9F8togpWXwu2gwnxPypH5BFqi/BGe7s82LglO1BSlaS+DTIllgWZuS9iCxYpI6dOm4QdsSYHTqaPT+Op3E3cVgH97sb3pfheNULChzR1HLr0uhBhSF6Q+qpjaQw2FUMyB47czzufK5zSn8aXP3flcG4=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777310617; c=relaxed/simple;\n\tbh=YuL3x3hXkBGsGf4KWUcUGEgQxWyhk/Gk/vOygvCEJh0=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=r4E5Z3dagL2/yI6qHoOKtqLLtSznvNkehpHJjQF+XSRhxsY1t5xv4ulCML1Xj6Li8n/+bCDfTgoJc6KpuBzi2sYci3dhwUnpNgjrS/9ofQWvuiKH6FWTGloByjYlD8KqVl3RcQ4OVXYCCTWzQM6Esg4iHno5OxccRfbCLv3ypBE=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=H9y9IaK6; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777310614;\n\tbh=MmPY/9ZsFfSnxLjBt22TfxjyPKqFzUnb5mcg7vZsCM4=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=H9y9IaK67ThvjKt9eRbj5Wy2/GgGBTRVq3G7wtjH7wr6CdKK1iKU3lLESYYTKyTxd\n\t QHDS77UdQ2AQehG7cNz+DaVndMnMrhoEO4hiHL39MytFXQPZISxARbl0gRWsNqOxwR\n\t /sy0UzsX0uGBpmFpEEum6X5DK3ISKgoGvxi6jHq5qvXhq0qK1T6odYfrSsITp7rWh1\n\t DC1N2Pll9b2LGp111L5uaEUROhx4p7GQtnLNRSjSiuMkWPEnL58ZaCpkPxdIV5ZK7+\n\t meybmalGoUrtQRotuUqudaujN57cfa4ESmEpAd0PpQXPhZkiptf4Bo4vG5p7vYY0Yp\n\t 4JsSlRwHD/WIA==","Date":"Mon, 27 Apr 2026 19:23:31 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"Fernando Fernandez Mancera <fmancera@suse.de>,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tphil@nwl.cc","Subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","Message-ID":"<ae-bk_I_8CZyg5qA@chamomile>","References":"<20260427112720.5128-1-fmancera@suse.de>\n <20260427112720.5128-3-fmancera@suse.de>\n <ae-MRZ47QurmXY7z@chamomile>\n <ae-P4Sbl-0vpFrUY@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<ae-P4Sbl-0vpFrUY@strlen.de>"}},{"id":3682931,"web_url":"http://patchwork.ozlabs.org/comment/3682931/","msgid":"<1fa9bf99-aa1f-4559-93bb-238a0d856582@suse.de>","list_archive_url":null,"date":"2026-04-27T20:00:26","subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"On 4/27/26 7:23 PM, Pablo Neira Ayuso wrote:\n> On Mon, Apr 27, 2026 at 06:33:37PM +0200, Florian Westphal wrote:\n>> Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n>>> -               if (!(pkt->flags & NFT_PKTINFO_L4PROTO))\n>>> +               if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)\n>>>                          return false;\n>>\n>> What is NFT_PKTINFO_L4PROTO supposed to mean?\n> \n> \"IP packet has been fully parsed\"\n> \n\nI thought it was something different. Actually, I saw check before and \nthought it was safe.\n\nLet me adjust it on a v5 and thanks for pointing it out.\n\n>> I thought it meant there is an l4 header but its set unconditionally\n>> for ipv4.\n> \n> Flag name is a misleading.\n> \n> See my recent comment in this function:\n> \n> static void nft_meta_pktinfo_may_update(struct nft_pktinfo *pkt)\n> {\n>          struct sk_buff *skb = pkt->skb;\n>          struct vlan_ethhdr *veth;\n>          __be16 ethertype;\n>          int nhoff;\n>                  \n>          /* Is this an IP packet? Then, skip. */\n>          if (pkt->flags)\n>                  return;\n> \n>> Only the ipv6 handling makes sense to me.\n> \n> Maybe a helper function can be added, eg. nft_ip() then this flag can\n> be renamed.\n\nI will revisit the flag and its usage. Because there might be some more \nproblematic uses. Anyway, the helper sounds like a good thing. Added to \nmy nf-next TO-DO list.\n\nThanks,\nFernando.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12229-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=sGJNfHxz;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=PUgqJNSd;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=mDi0L5Uo;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=r/DIi7wZ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12229-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"sGJNfHxz\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"PUgqJNSd\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"mDi0L5Uo\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"r/DIi7wZ\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=mDi0L5Uo;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=\"r/DIi7wZ\""],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4Dvm4Sshz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 06:00:52 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id DCAF5303745D\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 20:00:43 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 45F4B26CE2C;\n\tMon, 27 Apr 2026 20:00:43 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 43C9940DFA9\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 27 Apr 2026 20:00:41 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id B39A66A826;\n\tMon, 27 Apr 2026 20:00:35 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 613B4593B0;\n\tMon, 27 Apr 2026 20:00:35 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid /B+WFGPA72lmXwAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Mon, 27 Apr 2026 20:00:35 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777320042; cv=none;\n b=T4VTxmDTx3npuAsKxT3Rsmbrg/ayA0fW47m0MVZ3FiJzdZc2cKt/QhtUWle0htQRQKxcRlatlqjt0LGie8Im2SrUU2+3DvfmJ5uI8R1L71/MPSY4i2kOl3+E6y5Fc/eCdU2yoYIlxJMOOyGxwFlf/1UIATHLpQy8E1mOF2utV7c=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777320042; c=relaxed/simple;\n\tbh=C0OBtAx/FF4Flfmg2AD8MJGK9mVKZtM50SvFQPg70Kg=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=nxLlN1cuLYB3j+4E82TxfZXZYsloU4Ib4b2j4gm4q6ZFIvQYKQqrnGIh/uPaAAHdjScMAWUIUxxscUSLtwHjwB9WLn7mrV7GPZ3sAQot+Lq0WuYk4rIL+NzN7MPlviZLS3gFpKTOoZP9JRzIkEg45o4ImmN7SkwXqDRiBwlg7os=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=sGJNfHxz;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=PUgqJNSd;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=mDi0L5Uo;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=r/DIi7wZ; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777320038;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=VQzb5GxonsLziXI8kqQNlfhFLV2eHYtws8FQ98jDVz0=;\n\tb=sGJNfHxzfvfpPaPaNim/gWGE1tYmDuyN2GYIKRixlNjRCWdjUkDqlP8bvzZbNZwwrl4i7P\n\t3vXfv5bUspkCqJgUqFqaMew66q0nXAFKkFydsBs3k4cVcLZlAT+VtnzCJAPOFWCkx2NE72\n\tYU8fMIyEckj9ZsWsw6Slfp35pQ+AMlE=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777320038;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=VQzb5GxonsLziXI8kqQNlfhFLV2eHYtws8FQ98jDVz0=;\n\tb=PUgqJNSdETHtV66bhTdvQRtu6hU8tuGTTP5alos0i/juiFvtHPBPfA9g3pYeB66lHIhw+T\n\tvaiGtS+B5b2W6LAA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777320035;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=VQzb5GxonsLziXI8kqQNlfhFLV2eHYtws8FQ98jDVz0=;\n\tb=mDi0L5UoCMOBld/aJ3luiyfQZf46XC3mDKtV82sSdHG0W0+VEOpRR86fHB5e+Hk7qFwk2g\n\tLLLzCyd9M4WpBap2KTnP1q1XCsGOnQQDpbZ+e9zfG+UxGUw3+L09IKcTTpBRlDPrr4etGD\n\tT9E2U+eMZsFCOFHV/NH3QNKtW5Rz+BU=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777320035;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=VQzb5GxonsLziXI8kqQNlfhFLV2eHYtws8FQ98jDVz0=;\n\tb=r/DIi7wZoqOgz5bdoisO0lqfNw8etSIFPBziAf/ree8s9m3wVdupbrF9rcXK3JcJJWWIuh\n\tlDMN2b2OsRPDrQCA=="],"Message-ID":"<1fa9bf99-aa1f-4559-93bb-238a0d856582@suse.de>","Date":"Mon, 27 Apr 2026 22:00:26 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 3/3 nf v4] netfilter: xtables: fix L4 header parsing for\n non-first fragments","To":"Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org, phil@nwl.cc","References":"<20260427112720.5128-1-fmancera@suse.de>\n <20260427112720.5128-3-fmancera@suse.de> <ae-MRZ47QurmXY7z@chamomile>\n <ae-P4Sbl-0vpFrUY@strlen.de> <ae-bk_I_8CZyg5qA@chamomile>","Content-Language":"en-US","From":"Fernando Fernandez Mancera <fmancera@suse.de>","In-Reply-To":"<ae-bk_I_8CZyg5qA@chamomile>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spamd-Result":"default: False [-4.51 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tURIBL_BLOCKED(0.00)[suse.de:dkim,suse.de:mid,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,netfilter.org:email];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tMIME_TRACE(0.00)[0:+];\n\tTO_DN_SOME(0.00)[];\n\tRBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tARC_NA(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tRCPT_COUNT_FIVE(0.00)[5];\n\tDNSWL_BLOCKED(0.00)[2a07:de40:b281:106:10:150:64:167:received];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tRECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received];\n\tRCVD_TLS_ALL(0.00)[];\n\tDKIM_TRACE(0.00)[suse.de:+];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.de:mid,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]","X-Rspamd-Action":"no action","X-Spam-Flag":"NO","X-Spam-Score":"-4.51","X-Spam-Level":"","X-Rspamd-Server":"rspamd1.dmz-prg2.suse.org","X-Rspamd-Queue-Id":"B39A66A826"}}]