From patchwork Wed Oct 30 10:50:01 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiri Pirko X-Patchwork-Id: 287192 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 6FA5C2C0370 for ; Wed, 30 Oct 2013 21:52:17 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753913Ab3J3KwN (ORCPT ); Wed, 30 Oct 2013 06:52:13 -0400 Received: from mail-ee0-f53.google.com ([74.125.83.53]:38895 "EHLO mail-ee0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752881Ab3J3KwM (ORCPT ); Wed, 30 Oct 2013 06:52:12 -0400 Received: by mail-ee0-f53.google.com with SMTP id e51so526863eek.26 for ; Wed, 30 Oct 2013 03:52:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=fhYxVjxVz1sBS/yM5NEORMZQxiDGnC3xe28jd4SnrPg=; b=bxDNk/G3F3/Kc5UHAgiyCgjmN3f5gkKj9HP3Z4QnsyVY0hk0L4pqryXROB7WhTitUj tSH5sYVB/yCUYscUYhjYzq2grImmHY/fSdSXvVF3S4a4upNUKR0SU8Pb91WJWzkvVzTS jFwFTp78mcAcJhsZlEMH6rC8qI3utr5nttll2BPqIBeW0RtdCLAGvP2fQ+O7jkAkiHvE myOUxHzIVbjxrS1JBnrmwviNWrqy7KpwFPK/se60ZC/8BfYC6tCk6Pl/H/7BxzUfnJZS Natc8I+A4ymcaHuqdF5MRfqhekfkkZDZ2Hn/rUPdWj9rzDFfc9v3ovfxLJ0wn279W6Yv pA1w== X-Gm-Message-State: ALoCoQncwfUFI+A7xc4kL35rxKj/axPYGcjOAe5cQYXGwpv3gs8Nv4sE4WU5qoadpbDoko35jFjK X-Received: by 10.15.94.201 with SMTP id bb49mr4307205eeb.23.1383130331240; Wed, 30 Oct 2013 03:52:11 -0700 (PDT) Received: from localhost (sun-0.pirko.cz. [84.16.102.25]) by mx.google.com with ESMTPSA id bn13sm81987356eeb.11.2013.10.30.03.52.09 for (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128/128); Wed, 30 Oct 2013 03:52:10 -0700 (PDT) From: Jiri Pirko To: netdev@vger.kernel.org Cc: davem@davemloft.net, pablo@netfilter.org, netfilter-devel@vger.kernel.org, yoshfuji@linux-ipv6.org, kadlec@blackhole.kfki.hu, kaber@trash.net, mleitner@redhat.com Subject: [patch net-next RFC] netfilter: ip6_tables: use reasm skb for matching Date: Wed, 30 Oct 2013 11:50:01 +0100 Message-Id: <1383130201-6198-1-git-send-email-jiri@resnulli.us> X-Mailer: git-send-email 1.8.3.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Currently, when ipv6 fragment goes through the netfilter, match functions are called on them directly. This might cause match function to fail. So benefit from the fact that nf_defrag_ipv6 constructs reassembled skb for us and use this reassembled skb for matching. This patch fixes for example following situation: On HOSTA do: ip6tables -I INPUT -p icmpv6 -j DROP ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT and on HOSTB you do: ping6 HOSTA -s2000 (MTU is 1500) Incoming echo requests will be filtered out on HOSTA. This issue does not occur with smaller packets than MTU (where fragmentation does not happen). Signed-off-by: Jiri Pirko --- net/ipv6/netfilter/ip6_tables.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 44400c2..5421beb0 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -328,6 +328,7 @@ ip6t_do_table(struct sk_buff *skb, const struct xt_table_info *private; struct xt_action_param acpar; unsigned int addend; + struct sk_buff *reasm = skb->nfct_reasm ? skb->nfct_reasm : skb; /* Initialization */ indev = in ? in->name : nulldevname; @@ -363,7 +364,7 @@ ip6t_do_table(struct sk_buff *skb, IP_NF_ASSERT(e); acpar.thoff = 0; - if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, + if (!ip6_packet_match(reasm, indev, outdev, &e->ipv6, &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) { no_match: e = ip6t_next_entry(e); @@ -373,7 +374,7 @@ ip6t_do_table(struct sk_buff *skb, xt_ematch_foreach(ematch, e) { acpar.match = ematch->u.kernel.match; acpar.matchinfo = ematch->data; - if (!acpar.match->match(skb, &acpar)) + if (!acpar.match->match(reasm, &acpar)) goto no_match; }