{"id":2228778,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2228778/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427112720.5128-1-fmancera@suse.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260427112720.5128-1-fmancera@suse.de>","date":"2026-04-27T11:27:18","name":"[1/3,nf,v4] netfilter: nf_socket: skip socket lookup for non-first fragments","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":true,"hash":"a5aa5aa53da4ad56e8db30c5642d0fa3fc3cd54e","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/1.1/people/90904/?format=json","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"delegate":{"id":11902,"url":"http://patchwork.ozlabs.org/api/1.1/users/11902/?format=json","username":"strlen","first_name":"Florian","last_name":"Westphal","email":"fw@strlen.de"},"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427112720.5128-1-fmancera@suse.de/mbox/","series":[{"id":501628,"url":"http://patchwork.ozlabs.org/api/1.1/series/501628/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501628","date":"2026-04-27T11:27:18","name":"[1/3,nf,v4] netfilter: nf_socket: skip socket lookup for non-first fragments","version":4,"mbox":"http://patchwork.ozlabs.org/series/501628/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2228778/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2228778/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=eNLcuHco;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=sDZucj+x;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=eNLcuHco;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=sDZucj+x;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12213-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"eNLcuHco\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"sDZucj+x\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"eNLcuHco\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"sDZucj+x\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tnone"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g41bb2c1dz1yHv\n\tfor ; Mon, 27 Apr 2026 21:31:07 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 3E954302D978\n\tfor ; Mon, 27 Apr 2026 11:27:46 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 886B93B7B8E;\n\tMon, 27 Apr 2026 11:27:45 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id D43612F39AB\n\tfor ; Mon, 27 Apr 2026 11:27:43 +0000 (UTC)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 6894B6A8EA;\n\tMon, 27 Apr 2026 11:27:42 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 051A8593B0;\n\tMon, 27 Apr 2026 11:27:41 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid EY73OS1I72kaWgAAD6G6ig\n\t(envelope-from ); Mon, 27 Apr 2026 11:27:41 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777289265; cv=none;\n b=i78I7Sv5tl9XYFkCZ7x5/9GGQTSADEVbKquQZ4H46xhFjeWfshes1yQAkD4MAsoub8CLCZ9K3St1+NeL11Y17pZpHuvuoe1B52UOQcLk4za86PDgyhPovvCNi3DYtnuRbMk9T09IzdWr3mGh7HSiXVxMtyaP0WdcRRB7aJ2D5/s=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777289265; c=relaxed/simple;\n\tbh=zE9lE7tXHu1N8bQGQevHhdhp3yEztjauQVoLoYT+heU=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=DCqoy4+9RrmoJi70t9wjFfCPUynYHbapirstemaVkjWd3Wtuvz/5AnT58QTg3V+hkBjxjcsRklkJJFgvQ6iKOpp7N81eSA8Y4gjZFGPRim/L4geG0gyLbVJbfirORtMSB8WVWBbcACoYgS4DDGtetoLXnSLh4SKtrAuX9R3z7bk=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=eNLcuHco;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=sDZucj+x;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=eNLcuHco;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=sDZucj+x; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777289262;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n\tbh=sKCU0l/xvjIXGxXWxz31UFpwzqOV0fWt8DuK0iC+hxY=;\n\tb=eNLcuHcoDMqdcC/YSVGM81xwufd9cLRTtkLbO3BGLkipun7uQp8iubddm2aKx/cmJ8+Ejc\n\tJe1McAIXWSmckYzlMD0T+qlSZhwapiF0A+lvVquZvzqzOVpTekJlfJkZKAQtOx9TcYqpZ2\n\tCjmgorOxPzsMH+J0UniJqE9yGRdjGKs=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777289262;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n\tbh=sKCU0l/xvjIXGxXWxz31UFpwzqOV0fWt8DuK0iC+hxY=;\n\tb=sDZucj+xNSW5DNyNwaAUrpr9DUUIUY0Z6akvkiaBxxMzlZWtCHaH4l3+VbOCDxe5jTREWX\n\tkDI+LHNT0ELkkNDw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777289262;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n\tbh=sKCU0l/xvjIXGxXWxz31UFpwzqOV0fWt8DuK0iC+hxY=;\n\tb=eNLcuHcoDMqdcC/YSVGM81xwufd9cLRTtkLbO3BGLkipun7uQp8iubddm2aKx/cmJ8+Ejc\n\tJe1McAIXWSmckYzlMD0T+qlSZhwapiF0A+lvVquZvzqzOVpTekJlfJkZKAQtOx9TcYqpZ2\n\tCjmgorOxPzsMH+J0UniJqE9yGRdjGKs=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777289262;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n\tbh=sKCU0l/xvjIXGxXWxz31UFpwzqOV0fWt8DuK0iC+hxY=;\n\tb=sDZucj+xNSW5DNyNwaAUrpr9DUUIUY0Z6akvkiaBxxMzlZWtCHaH4l3+VbOCDxe5jTREWX\n\tkDI+LHNT0ELkkNDw=="],"From":"Fernando Fernandez Mancera ","To":"netfilter-devel@vger.kernel.org","Cc":"coreteam@netfilter.org,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera ","Subject":"[PATCH 1/3 nf v4] netfilter: nf_socket: skip socket lookup for\n non-first fragments","Date":"Mon, 27 Apr 2026 13:27:18 +0200","Message-ID":"<20260427112720.5128-1-fmancera@suse.de>","X-Mailer":"git-send-email 2.51.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spam-Score":"-2.80","X-Spam-Level":"","X-Spamd-Result":"default: False [-2.80 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_CONTAINS_FROM(1.00)[];\n\tR_MISSING_CHARSET(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-0.984];\n\tMIME_GOOD(-0.10)[text/plain];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tARC_NA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tTO_DN_SOME(0.00)[];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tRCPT_COUNT_FIVE(0.00)[6];\n\tRCVD_TLS_ALL(0.00)[]","X-Spam-Flag":"NO"},"content":"Both nft_socket and xt_socket relies on L4 headers to perform socket\nlookup in the slow path. For fragmented packets, while the IP protocol\nremains constant across all fragments, only the first fragment contains\nthe actual L4 header.\n\nAs the expression/match could be attached to a chain with a priority\nlower than -400, it could bypass defragmentation.\n\nAdd a check for fragmentation in the lookup functions directly so the\nproblem is handled for both nft_socket and xt_socket at the same time.\nIn addition, future users of the functions would not need to care about\nthis.\n\nFixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\nFixes: 554ced0a6e29 (\"netfilter: nf_tables: add support for native socket matching\")\nSigned-off-by: Fernando Fernandez Mancera \n---\nv3: added this patch to the series, I splitted this as the fix is\ngeneric for both nft_socket and xt_socket\nv4: no changes\n---\n net/ipv4/netfilter/nf_socket_ipv4.c | 3 +++\n net/ipv6/netfilter/nf_socket_ipv6.c | 5 +++--\n 2 files changed, 6 insertions(+), 2 deletions(-)","diff":"diff --git a/net/ipv4/netfilter/nf_socket_ipv4.c b/net/ipv4/netfilter/nf_socket_ipv4.c\nindex 5080fa5fbf6a..f9c6755f5ec5 100644\n--- a/net/ipv4/netfilter/nf_socket_ipv4.c\n+++ b/net/ipv4/netfilter/nf_socket_ipv4.c\n@@ -94,6 +94,9 @@ struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,\n #endif\n \tint doff = 0;\n \n+\tif (ntohs(iph->frag_off) & IP_OFFSET)\n+\t\treturn NULL;\n+\n \tif (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) {\n \t\tstruct tcphdr _hdr;\n \t\tstruct udphdr *hp;\ndiff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c\nindex ced8bd44828e..893f2aeb4711 100644\n--- a/net/ipv6/netfilter/nf_socket_ipv6.c\n+++ b/net/ipv6/netfilter/nf_socket_ipv6.c\n@@ -100,6 +100,7 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n \tconst struct in6_addr *daddr = NULL, *saddr = NULL;\n \tstruct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var;\n \tstruct sk_buff *data_skb = NULL;\n+\tunsigned short fragoff = 0;\n \tint doff = 0;\n \tint thoff = 0, tproto;\n #if IS_ENABLED(CONFIG_NF_CONNTRACK)\n@@ -107,8 +108,8 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n \tstruct nf_conn const *ct;\n #endif\n \n-\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n-\tif (tproto < 0) {\n+\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n+\tif (tproto < 0 || fragoff) {\n \t\tpr_debug(\"unable to find transport header in IPv6 packet, dropping\\n\");\n \t\treturn NULL;\n \t}\n","prefixes":["1/3","nf","v4"]}