{"id":2224694,"url":"http://patchwork.ozlabs.org/api/patches/2224694/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260417183433.4739-6-fmancera@suse.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260417183433.4739-6-fmancera@suse.de>","list_archive_url":null,"date":"2026-04-17T18:34:35","name":"[4/4,nf] netfilter: xtables: fix L4 header parsing for non-first fragments","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":false,"hash":"cb3b43c5d1db4878f7de0762f03473a03b112e2f","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/?format=json","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260417183433.4739-6-fmancera@suse.de/mbox/","series":[{"id":500386,"url":"http://patchwork.ozlabs.org/api/series/500386/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500386","date":"2026-04-17T18:34:31","name":"[1/4,nf] netfilter: nft_exthdr: skip SCTP chunk evaluation for non-first fragments","version":1,"mbox":"http://patchwork.ozlabs.org/series/500386/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224694/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224694/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <netfilter-devel+bounces-12007-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=TEdlcIDD;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=kl+mtDOu;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=TEdlcIDD;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=kl+mtDOu;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12007-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"TEdlcIDD\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"kl+mtDOu\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"TEdlcIDD\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"kl+mtDOu\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out2.suse.de;\n\tnone"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fy3Wf0n6sz1yHp\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 04:37:02 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 9D0663040AA1\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 18:35:22 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 88110372B23;\n\tFri, 17 Apr 2026 18:35:21 +0000 (UTC)","from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id D7C6534B19F\n\tfor <netfilter-devel@vger.kernel.org>; Fri, 17 Apr 2026 18:35:19 +0000 (UTC)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id 2DBA95BD6D;\n\tFri, 17 Apr 2026 18:35:18 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B7167593AE;\n\tFri, 17 Apr 2026 18:35:17 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid AGbtKWV94mmFFQAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Fri, 17 Apr 2026 18:35:17 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776450921; cv=none;\n b=RAFgoUpKkEDUJlk50Dsu5unbiT2aYGbX0KgvapB4oMRV3ob836mXxuhHhL7hUiQwJlmZt552cLS9WfslmGNTNZ7xdd5MJOFEqQKGMpIiu1IGXxlGxSvdfg1F1Fd8MhdpvIXxuceo70u+f2YTrLY5dRtUmwiA2k1tVnGjisSyuwk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776450921; c=relaxed/simple;\n\tbh=izosyhxDTy5NdRy6ayhND//aGqiQP/TpllLGyLhTMRo=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=s/CetXs6nAmKxs9DkRSbI9Mw0Fof658WTiRCWGw4Vcl7fW8gjA2+Vq0Jj0DQ15cdU7pn1jxJevdE9KlQ8cgq3WqfQpJK/C1qvCNo3VL2MC///ZExMdwQP6jqJMloo1gOmo2xfA+eNMwDyBkGTjbmsqGGwi3KIlUuRjk0b3eaeGM=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=TEdlcIDD;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=kl+mtDOu;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=TEdlcIDD;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=kl+mtDOu; arc=none smtp.client-ip=195.135.223.131","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776450918;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=cWo1LFCwbN3YfhDdAcKt2Z9T6i6hL9z0LD165eTYsNY=;\n\tb=TEdlcIDDxHBeg5nIqChjwVFZh/HpQbqhJgu37yCGVHzQ6sYYsy3XMSU85OtRU8DxCyIt8u\n\tG6wLUmX2SkRco7ZVMR2tICHF3uepJoNLybNVl2TPHCmoCplsY3m/GQVtLWj5D14tDIfOjm\n\tVexypcFwKA/5jpuAikaHb3bZyixznoc=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776450918;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=cWo1LFCwbN3YfhDdAcKt2Z9T6i6hL9z0LD165eTYsNY=;\n\tb=kl+mtDOunZIBz+KPc+2BTY0pIYHbTFaX6sm5lyMmtdaoKlF07Q1ppMZZcPId0f/j0v4rMe\n\tLhVAr5PedSY2ofDA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776450918;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=cWo1LFCwbN3YfhDdAcKt2Z9T6i6hL9z0LD165eTYsNY=;\n\tb=TEdlcIDDxHBeg5nIqChjwVFZh/HpQbqhJgu37yCGVHzQ6sYYsy3XMSU85OtRU8DxCyIt8u\n\tG6wLUmX2SkRco7ZVMR2tICHF3uepJoNLybNVl2TPHCmoCplsY3m/GQVtLWj5D14tDIfOjm\n\tVexypcFwKA/5jpuAikaHb3bZyixznoc=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776450918;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=cWo1LFCwbN3YfhDdAcKt2Z9T6i6hL9z0LD165eTYsNY=;\n\tb=kl+mtDOunZIBz+KPc+2BTY0pIYHbTFaX6sm5lyMmtdaoKlF07Q1ppMZZcPId0f/j0v4rMe\n\tLhVAr5PedSY2ofDA=="],"From":"Fernando Fernandez Mancera <fmancera@suse.de>","To":"netfilter-devel@vger.kernel.org","Cc":"netdev@vger.kernel.org,\n\tcoreteam@netfilter.org,\n\tpablo@netfilter.org,\n\tfw@strlen.de,\n\tphil@nwl.cc,\n\tFernando Fernandez Mancera <fmancera@suse.de>","Subject":"[PATCH 4/4 nf] netfilter: xtables: fix L4 header parsing for\n non-first fragments","Date":"Fri, 17 Apr 2026 20:34:35 +0200","Message-ID":"<20260417183433.4739-6-fmancera@suse.de>","X-Mailer":"git-send-email 2.51.0","In-Reply-To":"<20260417183433.4739-1-fmancera@suse.de>","References":"<20260417183433.4739-1-fmancera@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spamd-Result":"default: False [-2.80 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_CONTAINS_FROM(1.00)[];\n\tR_MISSING_CHARSET(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-0.996];\n\tMIME_GOOD(-0.10)[text/plain];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tARC_NA(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:mid,suse.de:email];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tRCPT_COUNT_SEVEN(0.00)[7];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tTO_DN_SOME(0.00)[];\n\tRCVD_TLS_ALL(0.00)[]","X-Spam-Flag":"NO","X-Spam-Score":"-2.80","X-Spam-Level":""},"content":"The TPROXY target and osf match relies on L4 header to operate. For\nfragmented packets, every fragment carries the transport protocol\nidentifier, but only the first fragment contains the L4 header.\n\nAs the 'raw' table can be configured to run at priority -450 (before\ndefragmentation at -400), the target/match can be reached before\nreassembly. In this case, non-first fragments have their payload\nincorrectly parsed as a TCP/UDP header.\n\nAdd a fragment check to ensure TPROXY/osf only evaluates unfragmented\npackets or the first fragment in the stream.\n\nFixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\n net/netfilter/xt_TPROXY.c | 8 ++++++--\n net/netfilter/xt_osf.c    | 3 +++\n 2 files changed, 9 insertions(+), 2 deletions(-)","diff":"diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c\nindex e4bea1d346cf..ac4b011ce48c 100644\n--- a/net/netfilter/xt_TPROXY.c\n+++ b/net/netfilter/xt_TPROXY.c\n@@ -40,6 +40,9 @@ tproxy_tg4(struct net *net, struct sk_buff *skb, __be32 laddr, __be16 lport,\n \tstruct udphdr _hdr, *hp;\n \tstruct sock *sk;\n \n+\tif (ip_is_fragment(iph))\n+\t\treturn NF_DROP;\n+\n \thp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);\n \tif (hp == NULL)\n \t\treturn NF_DROP;\n@@ -106,6 +109,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n {\n \tconst struct ipv6hdr *iph = ipv6_hdr(skb);\n \tconst struct xt_tproxy_target_info_v1 *tgi = par->targinfo;\n+\tunsigned short fragoff = 0;\n \tstruct udphdr _hdr, *hp;\n \tstruct sock *sk;\n \tconst struct in6_addr *laddr;\n@@ -113,8 +117,8 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)\n \tint thoff = 0;\n \tint tproto;\n \n-\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n-\tif (tproto < 0)\n+\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n+\tif (tproto < 0 || fragoff)\n \t\treturn NF_DROP;\n \n \thp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);\ndiff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c\nindex dc9485854002..889dff4daff0 100644\n--- a/net/netfilter/xt_osf.c\n+++ b/net/netfilter/xt_osf.c\n@@ -27,6 +27,9 @@\n static bool\n xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)\n {\n+\tif (ip_is_fragment(ip_hdr(skb)))\n+\t\treturn false;\n+\n \treturn nf_osf_match(skb, xt_family(p), xt_hooknum(p), xt_in(p),\n \t\t\t    xt_out(p), p->matchinfo, xt_net(p), nf_osf_fingers);\n }\n","prefixes":["4/4","nf"]}