{"id":2225106,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2225106/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260420104745.10338-1-fmancera@suse.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260420104745.10338-1-fmancera@suse.de>","date":"2026-04-20T10:47:44","name":"[1/2,nf,v2] netfilter: nf_tables: skip L4 header parsing for non-first fragments","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":false,"hash":"3c887071ef780e778f8851b3587ded19d95f8679","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/1.1/people/90904/?format=json","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260420104745.10338-1-fmancera@suse.de/mbox/","series":[{"id":500594,"url":"http://patchwork.ozlabs.org/api/1.1/series/500594/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500594","date":"2026-04-20T10:47:45","name":"[1/2,nf,v2] netfilter: nf_tables: skip L4 header parsing for non-first fragments","version":2,"mbox":"http://patchwork.ozlabs.org/series/500594/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225106/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225106/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12037-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=HPM4WtGr;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=DojKClWt;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=HPM4WtGr;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=DojKClWt;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12037-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"HPM4WtGr\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"DojKClWt\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"HPM4WtGr\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"DojKClWt\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tnone"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzj5x3W8Jz1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 20:53:57 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 6D2CE303F7DF\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 10:48:34 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D5F0D39150B;\n\tMon, 20 Apr 2026 10:48:33 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id D7B052BE05E\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 20 Apr 2026 10:48:31 +0000 (UTC)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 267B36A7D8;\n\tMon, 20 Apr 2026 10:48:30 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 71787593AE;\n\tMon, 20 Apr 2026 10:48:29 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid KgO9GH0E5mkFFgAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Mon, 20 Apr 2026 10:48:29 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776682113; cv=none;\n b=pPuj/9ioPRvFUNB/h6hXbFtOCFHXTipIlRHmTD16H/5sWL3qI4WApGWDS3bILLjShxdbJbEYHTOUZnwubtbI4Nrk/gpI1nk5/0r4DJDsVTFX+QQzP+30OgiBut1f6tEPW20o0bmqteP8pGIk2ZrO8UdiDk465DVsqdA6OSF3D10=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776682113; c=relaxed/simple;\n\tbh=X/c0obyNrbVn7G7S5slyftSuNDPhRrsRw+Nd0q1D+OQ=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=IPUO7Lv9Wx01TC8vygRRgGxwP26Cy6jZvEesvAwiPcDeRVkRIA5g5AOedHcuaPJnrmCLaJfbPaQlFop5Y3bPwItXzpu/7tx/Dvgvx7NGI8oF503NHTCbVpIVNib3sd/s9WACf9tJ6EtXIGBH4+ey6fGoZrV8thwIdzzqFwtdvpA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=HPM4WtGr;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=DojKClWt;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=HPM4WtGr;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=DojKClWt; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776682110;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=PDCDbjRv+gNlD/TTYbzyUgAf3VbhGIk9vPchwPZI/Z8=;\n\tb=HPM4WtGrBJrbpGyJVVdA4m+ztDiLLbCMt0BTPbzx6Zi6iO/LZrN/koMIxqbvID0MgOA38m\n\tEGWGnI9zulvhUobPA1L54cGR7EJuuX1u/70Dsq95fxZ+pY6YY7tLL0MUlZEP7+BqnE2E6S\n\tkF1wmc22+XsES3b6vjHVJuAEggQ9plo=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776682110;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=PDCDbjRv+gNlD/TTYbzyUgAf3VbhGIk9vPchwPZI/Z8=;\n\tb=DojKClWtcM5jFsbZTaGYu+f/X8s86i2Hq3tJg0cCmCLpNWdZ5NM07yOIm6QrW5JK7h7+OW\n\tplUkFvStfjG0MEDA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776682110;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=PDCDbjRv+gNlD/TTYbzyUgAf3VbhGIk9vPchwPZI/Z8=;\n\tb=HPM4WtGrBJrbpGyJVVdA4m+ztDiLLbCMt0BTPbzx6Zi6iO/LZrN/koMIxqbvID0MgOA38m\n\tEGWGnI9zulvhUobPA1L54cGR7EJuuX1u/70Dsq95fxZ+pY6YY7tLL0MUlZEP7+BqnE2E6S\n\tkF1wmc22+XsES3b6vjHVJuAEggQ9plo=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776682110;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=PDCDbjRv+gNlD/TTYbzyUgAf3VbhGIk9vPchwPZI/Z8=;\n\tb=DojKClWtcM5jFsbZTaGYu+f/X8s86i2Hq3tJg0cCmCLpNWdZ5NM07yOIm6QrW5JK7h7+OW\n\tplUkFvStfjG0MEDA=="],"From":"Fernando Fernandez Mancera <fmancera@suse.de>","To":"netfilter-devel@vger.kernel.org","Cc":"coreteam@netfilter.org,\n\tecklm94@gmail.com,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>","Subject":"[PATCH 1/2 nf v2] netfilter: nf_tables: skip L4 header parsing for\n non-first fragments","Date":"Mon, 20 Apr 2026 12:47:44 +0200","Message-ID":"<20260420104745.10338-1-fmancera@suse.de>","X-Mailer":"git-send-email 2.51.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spamd-Result":"default: False [-2.80 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_CONTAINS_FROM(1.00)[];\n\tR_MISSING_CHARSET(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tARC_NA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFREEMAIL_CC(0.00)[netfilter.org,gmail.com,nwl.cc,strlen.de,suse.de];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:mid,suse.de:email,imap1.dmz-prg2.suse.org:helo];\n\tFROM_HAS_DN(0.00)[];\n\tRCPT_COUNT_SEVEN(0.00)[7];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tRCVD_TLS_ALL(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tTO_DN_SOME(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com]","X-Spam-Flag":"NO","X-Spam-Score":"-2.80","X-Spam-Level":""},"content":"The tproxy, osf, socket and exthdr (SCTP) expressions rely on the\npresence of transport layer headers to perform socket lookups,\nfingerprint matching, or chunk extraction. For fragmented packets, while\nthe IP protocol remains constant across all fragments, only the first\nfragment contains the actual L4 header.\n\nThe expressions could be attached to a chain with a priority lower than\n-400, bypassing defragmentation. Or could be used in stateless\nenvironments where defragmentation is not happening at all.  This could\nresult in garbage data being used for the matching.\n\nAdd a check for pkt->fragoff so only unfragmented packets or the first\nfragment is processed.\n\nFixes: 133dc203d77d (\"netfilter: nft_exthdr: Support SCTP chunks\")\nFixes: 4ed8eb6570a4 (\"netfilter: nf_tables: Add native tproxy support\")\nFixes: b96af92d6eaf (\"netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf\")\nFixes: 554ced0a6e29 (\"netfilter: nf_tables: add support for native socket matching\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv2: handled fragmented packets for socket expression too,\nsquashed nftables expression commits into this one.\n---\n net/netfilter/nft_exthdr.c | 2 +-\n net/netfilter/nft_osf.c    | 2 +-\n net/netfilter/nft_socket.c | 7 ++++++-\n net/netfilter/nft_tproxy.c | 8 ++++----\n 4 files changed, 12 insertions(+), 7 deletions(-)","diff":"diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c\nindex 7eedf4e3ae9c..8eb708bb8cff 100644\n--- a/net/netfilter/nft_exthdr.c\n+++ b/net/netfilter/nft_exthdr.c\n@@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,\n \tconst struct sctp_chunkhdr *sch;\n \tstruct sctp_chunkhdr _sch;\n \n-\tif (pkt->tprot != IPPROTO_SCTP)\n+\tif (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)\n \t\tgoto err;\n \n \tdo {\ndiff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c\nindex 1c0b493ef0a9..ceca87e405eb 100644\n--- a/net/netfilter/nft_osf.c\n+++ b/net/netfilter/nft_osf.c\n@@ -28,7 +28,7 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,\n \tstruct nf_osf_data data;\n \tstruct tcphdr _tcph;\n \n-\tif (pkt->tprot != IPPROTO_TCP) {\n+\tif (pkt->tprot != IPPROTO_TCP || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\ndiff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c\nindex 36affbb697c2..52c9a9291486 100644\n--- a/net/netfilter/nft_socket.c\n+++ b/net/netfilter/nft_socket.c\n@@ -116,8 +116,13 @@ static void nft_socket_eval(const struct nft_expr *expr,\n \tif (sk && !net_eq(nft_net(pkt), sock_net(sk)))\n \t\tsk = NULL;\n \n-\tif (!sk)\n+\tif (!sk) {\n+\t\tif (pkt->fragoff) {\n+\t\t\tregs->verdict.code = NFT_BREAK;\n+\t\t\treturn;\n+\t\t}\n \t\tsk = nft_socket_do_lookup(pkt);\n+\t}\n \n \tif (!sk) {\n \t\tregs->verdict.code = NFT_BREAK;\ndiff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c\nindex 50481280abd2..8080cbd878cd 100644\n--- a/net/netfilter/nft_tproxy.c\n+++ b/net/netfilter/nft_tproxy.c\n@@ -30,8 +30,8 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,\n \t__be16 tport = 0;\n \tstruct sock *sk;\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t    pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t     pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n@@ -97,8 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,\n \n \tmemset(&taddr, 0, sizeof(taddr));\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t    pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t     pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n","prefixes":["1/2","nf","v2"]}