{"id":2229501,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229501/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428102548.6750-1-fmancera@suse.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260428102548.6750-1-fmancera@suse.de>","date":"2026-04-28T10:25:46","name":"[1/3,nf,v5] netfilter: nf_socket: skip socket lookup for non-first fragments","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"a5aa5aa53da4ad56e8db30c5642d0fa3fc3cd54e","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/1.1/people/90904/?format=json","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428102548.6750-1-fmancera@suse.de/mbox/","series":[{"id":501819,"url":"http://patchwork.ozlabs.org/api/1.1/series/501819/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501819","date":"2026-04-28T10:25:46","name":"[1/3,nf,v5] netfilter: nf_socket: skip socket lookup for non-first fragments","version":5,"mbox":"http://patchwork.ozlabs.org/series/501819/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229501/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229501/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12249-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=rxEPXk8t;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=cb2hCVou;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=rxEPXk8t;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=cb2hCVou;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12249-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"rxEPXk8t\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"cb2hCVou\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"rxEPXk8t\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"cb2hCVou\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out1.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=rxEPXk8t;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=cb2hCVou"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4c6x5DH2z1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 20:26:49 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 5F2973029C0B\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 10:26:12 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 3A69A3E717F;\n\tTue, 28 Apr 2026 10:26:11 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FB512E88BD\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 28 Apr 2026 10:26:09 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id AC5796A950;\n\tTue, 28 Apr 2026 10:26:07 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 4D8C5593B0;\n\tTue, 28 Apr 2026 10:26:07 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid OG8uED+L8GmULQAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Tue, 28 Apr 2026 10:26:07 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777371970; cv=none;\n b=sAlZwmfC9sDo1/24jbjQ41UBOvMxdOWYnQEbTwf1vnVsfgosiCcksBCTmN0KBmI0AnOnzSVcprpAkFEaIxN6/oxNcVU3sZlGnkOuPsGt9SQkJzcWg9RHP8ru2k8wMgh4wmh/m+iibdd/1y+cUWq81uxGncwwi3zZWZnylpRVdgk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777371970; c=relaxed/simple;\n\tbh=VpSVSZyMW0rSaxr/v22jtaRSenXz6fQFlo/1yOhHEg4=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=jsKyOBXaEUvYxkLwHh62srfL/xDsByQAfu1rHPQW0jRP30lg92ppphifKj7tPZmAJr4cPoskVH123hF5aDwYYAWxCrd77XQb8ZhcuMshDRUBvVi9SWyFaO2LGtjFzjedipadAlmzDEBbKuJiblMoLg/DqMvGV+37ogm0Dk2hNuc=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=rxEPXk8t;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=cb2hCVou;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=rxEPXk8t;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=cb2hCVou; arc=none smtp.client-ip=195.135.223.130","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777371967;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=9DIzRQ4Gpyib9bPlcvhirpG2scQPykhlmagVx7DewO4=;\n\tb=rxEPXk8taPVpGY9j5+iJruS2IWPHEBQR9MkJ8xJ9Quq5yVQS1t/W/en5sh72rCoSQu33m4\n\t6+JlUn6SyEhrBEZJcA2Ve7290BM8PRA1veKvKWw4RnkoSpdpvYxsx03uDskI1r73pJFVFD\n\tlsf2nxn5+GgsyCCF0AtIR11o2x9ge4w=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777371967;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=9DIzRQ4Gpyib9bPlcvhirpG2scQPykhlmagVx7DewO4=;\n\tb=cb2hCVouhsaERp0iIr3VkGbnL5gCVNeWZ7TEBxtz5+LwpponnjcLCKBdBdJsAQh7/Fy1Do\n\tgT4eQPwoxRoeKlBw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777371967;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=9DIzRQ4Gpyib9bPlcvhirpG2scQPykhlmagVx7DewO4=;\n\tb=rxEPXk8taPVpGY9j5+iJruS2IWPHEBQR9MkJ8xJ9Quq5yVQS1t/W/en5sh72rCoSQu33m4\n\t6+JlUn6SyEhrBEZJcA2Ve7290BM8PRA1veKvKWw4RnkoSpdpvYxsx03uDskI1r73pJFVFD\n\tlsf2nxn5+GgsyCCF0AtIR11o2x9ge4w=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777371967;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=9DIzRQ4Gpyib9bPlcvhirpG2scQPykhlmagVx7DewO4=;\n\tb=cb2hCVouhsaERp0iIr3VkGbnL5gCVNeWZ7TEBxtz5+LwpponnjcLCKBdBdJsAQh7/Fy1Do\n\tgT4eQPwoxRoeKlBw=="],"From":"Fernando Fernandez Mancera <fmancera@suse.de>","To":"netfilter-devel@vger.kernel.org","Cc":"coreteam@netfilter.org,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>","Subject":"[PATCH 1/3 nf v5] netfilter: nf_socket: skip socket lookup for\n non-first fragments","Date":"Tue, 28 Apr 2026 12:25:46 +0200","Message-ID":"<20260428102548.6750-1-fmancera@suse.de>","X-Mailer":"git-send-email 2.51.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spamd-Result":"default: False [-4.01 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tDWL_DNSWL_LOW(-1.00)[suse.de:dkim];\n\tMID_CONTAINS_FROM(1.00)[];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_MISSING_CHARSET(0.50)[];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tTO_DN_SOME(0.00)[];\n\tRBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tARC_NA(0.00)[];\n\tDNSWL_BLOCKED(0.00)[2a07:de40:b281:104:10:150:64:97:from,2a07:de40:b281:106:10:150:64:167:received];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tRECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tRCVD_TLS_ALL(0.00)[];\n\tDKIM_TRACE(0.00)[suse.de:+];\n\tRCPT_COUNT_FIVE(0.00)[6];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:mid,suse.de:dkim,suse.de:email]","X-Rspamd-Action":"no action","X-Spam-Flag":"NO","X-Spam-Score":"-4.01","X-Spam-Level":"","X-Rspamd-Server":"rspamd1.dmz-prg2.suse.org","X-Rspamd-Queue-Id":"AC5796A950"},"content":"Both nft_socket and xt_socket relies on L4 headers to perform socket\nlookup in the slow path. For fragmented packets, while the IP protocol\nremains constant across all fragments, only the first fragment contains\nthe actual L4 header.\n\nAs the expression/match could be attached to a chain with a priority\nlower than -400, it could bypass defragmentation.\n\nAdd a check for fragmentation in the lookup functions directly so the\nproblem is handled for both nft_socket and xt_socket at the same time.\nIn addition, future users of the functions would not need to care about\nthis.\n\nFixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\nFixes: 554ced0a6e29 (\"netfilter: nf_tables: add support for native socket matching\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv3: added this patch to the series, I splitted this as the fix is\ngeneric for both nft_socket and xt_socket\nv4: no changes\nv5: no changes\n---\n net/ipv4/netfilter/nf_socket_ipv4.c | 3 +++\n net/ipv6/netfilter/nf_socket_ipv6.c | 5 +++--\n 2 files changed, 6 insertions(+), 2 deletions(-)","diff":"diff --git a/net/ipv4/netfilter/nf_socket_ipv4.c b/net/ipv4/netfilter/nf_socket_ipv4.c\nindex 5080fa5fbf6a..f9c6755f5ec5 100644\n--- a/net/ipv4/netfilter/nf_socket_ipv4.c\n+++ b/net/ipv4/netfilter/nf_socket_ipv4.c\n@@ -94,6 +94,9 @@ struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,\n #endif\n \tint doff = 0;\n \n+\tif (ntohs(iph->frag_off) & IP_OFFSET)\n+\t\treturn NULL;\n+\n \tif (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) {\n \t\tstruct tcphdr _hdr;\n \t\tstruct udphdr *hp;\ndiff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c\nindex ced8bd44828e..893f2aeb4711 100644\n--- a/net/ipv6/netfilter/nf_socket_ipv6.c\n+++ b/net/ipv6/netfilter/nf_socket_ipv6.c\n@@ -100,6 +100,7 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n \tconst struct in6_addr *daddr = NULL, *saddr = NULL;\n \tstruct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var;\n \tstruct sk_buff *data_skb = NULL;\n+\tunsigned short fragoff = 0;\n \tint doff = 0;\n \tint thoff = 0, tproto;\n #if IS_ENABLED(CONFIG_NF_CONNTRACK)\n@@ -107,8 +108,8 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n \tstruct nf_conn const *ct;\n #endif\n \n-\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n-\tif (tproto < 0) {\n+\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n+\tif (tproto < 0 || fragoff) {\n \t\tpr_debug(\"unable to find transport header in IPv6 packet, dropping\\n\");\n \t\treturn NULL;\n \t}\n","prefixes":["1/3","nf","v5"]}