From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH v3 nf-next 0/3] netfilter: add restrictions/validations for packet rewrite
Date: Tue, 9 Jun 2026 13:51:52 +0200 [thread overview]
Message-ID: <20260609115201.2563-1-fw@strlen.de> (raw)
Changes since v2:
- In patch 1, disable write for NF_BRIDGE. Remove ARP handling.
ARP is not supported and NF_BRIDGE doesn't appear to be useful as-is
given userspace gets L3 headers only and needs to use NFQA_L2HDR nl
attr to alter mac header.
1) Restrict nfnetlink_queue writes to the network header. Validate IP/IPv6
headers and disable IPv6 extension header changes. Ensure total length
matches skb length.
2) Restrict nft_payload writes to linklayer and network header data. Prevent
linklayer writes from spilling into network headers. Validate network
header updates to protect IP version and length fields.
3) add restrictions to the checksum offset, without this patch 2 isn't
sufficient because an invalid checksum offset can e.g. overwrite iph
header length field.
This doesn't remove the userns restriction, yet.
I would like to wait a bit before re-enabling this to make sure there
are no other gaps (e.g. for encapsulated traffic).
Florian Westphal (3):
netfilter: nfnetlink_queue: restrict writes to network header
netfilter: nftables: restrict linklayer and network header writes
netfilter: nftables: restrict checkum update offset
net/netfilter/nfnetlink_queue.c | 170 ++++++++++++++++++++
net/netfilter/nft_payload.c | 270 ++++++++++++++++++++++++++++++++
2 files changed, 440 insertions(+)
--
2.53.0
next reply other threads:[~2026-06-09 11:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 11:51 Florian Westphal [this message]
2026-06-09 11:51 ` [PATCH v3 nf-next 1/3] netfilter: nfnetlink_queue: restrict writes to network header Florian Westphal
2026-06-09 11:51 ` [PATCH v3 nf-next 2/3] netfilter: nftables: restrict linklayer and network header writes Florian Westphal
2026-06-09 11:51 ` [PATCH v3 nf-next 3/3] netfilter: nftables: restrict checkum update offset Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609115201.2563-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.