From: Florian Westphal <fw@strlen.de>
To: Bernhard Thaler <bernhard.thaler@wvnet.at>
Cc: pablo@netfilter.org, kadlec@blackhole.kfki.hu,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCHv2 1/1] bridge: forward IPv6 fragmented packets when passing netfilter
Date: Fri, 23 Jan 2015 00:49:40 +0100 [thread overview]
Message-ID: <20150122234940.GD16045@breakpoint.cc> (raw)
In-Reply-To: <1421969232-19103-1-git-send-email-bernhard.thaler@wvnet.at>
Bernhard Thaler <bernhard.thaler@wvnet.at> wrote:
> +/* Equivalent to br_parse_ip_options for IPv6 */
> +
> +static int br_parse_ip6_options(struct sk_buff *skb)
> +{
Its not parsing options (yes, the ipv4 counterpart
is also a misnomer, lets at least not repeat it?).
> + const struct ipv6hdr *ip6h;
> + struct net_device *dev = skb->dev;
> + struct inet6_dev *idev = in6_dev_get(skb->dev);
> + u32 len;
> + u8 ip6h_len = sizeof(struct ipv6hdr);
> +
> + if (!pskb_may_pull(skb, ip6h_len))
> + goto inhdr_error;
> +
> + ip6h = ipv6_hdr(skb);
> +
> + /* Basic sanity checks
> + * check version
> + * check minimum header length (40 bytes)
> + * check total length
> + */
> + if (ip6h->version != 6)
> + goto inhdr_error;
> +
> + if (!pskb_may_pull(skb, ip6h_len))
> + goto inhdr_error;
This maypull call is not needed.
> + len = ntohs(ip6h->payload_len) + ip6h_len;
> +
> + if (skb->len < len) {
> + IP6_INC_STATS_BH(dev_net(dev), idev,
> + IPSTATS_MIB_INTRUNCATEDPKTS);
> + goto drop;
> + } else if (len < ip6h_len) {
How can this evaluate to true?
I think this should be refactored with what we have in
br_nf_pre_routing_ipv6(); in fact br_nf_pre_routing_ipv6 says that there
is no ipv6 nat which isn't true anymore; I think we should at the very
least zero out skb->cb[] there as well.
Perhaps factor out some common br_ip6_validate() helper that does
whats in br_nf_pre_routing_ipv6.
> + if (br_parse_ip6_options(skb))
> + /* Drop invalid packet */
> + return NF_DROP;
If we call br_parse_ip6_options() (or eqivalent) in PREROUTING, do we need to call
it again here? It seems to me we validated skb already (Also true for ipv4 counterpart)?
The IP6CB reset is needed of course.
So, to summarize:
- Not sure we need br_parse_ip6_options; we only call it from
br_nf_dev_queue_xmit(); as long as we validated things in prerouting
earlier we should be fine.
- The existing validation calls in br_nf_pre_routing_ipv6() should at
least also zero IP6CB.
I agree with the other changes (even though its ugly; don't have any better
solution either).
Cheers,
Florian
next prev parent reply other threads:[~2015-01-22 23:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-19 0:43 [PATCH 1/1] bridge: forward IPv6 fragmented packets when passing netfilter Bernhard Thaler
2015-01-20 17:28 ` Pablo Neira Ayuso
2015-01-22 23:27 ` [PATCHv2 " Bernhard Thaler
2015-01-22 23:49 ` Florian Westphal [this message]
2015-01-27 1:22 ` [PATCHv3 " Bernhard Thaler
2015-01-27 9:39 ` Florian Westphal
2015-01-27 23:15 ` [PATCHv4 RFC " Bernhard Thaler
2015-01-30 17:17 ` Pablo Neira Ayuso
2015-01-30 17:25 ` Pablo Neira Ayuso
2015-03-18 21:53 ` [PATCH 2/4] " Bernhard Thaler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150122234940.GD16045@breakpoint.cc \
--to=fw@strlen.de \
--cc=bernhard.thaler@wvnet.at \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.