Re: [PATCH] netfilter: nft_exthdr: fix offset with ipv4_find_option()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexey Kashavkin <akashavkin@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: Alexey Kashavkin <akashavkin@gmail.com>
Subject: Re: [PATCH] netfilter: nft_exthdr: fix offset with ipv4_find_option()
Date: Sun, 2 Mar 2025 01:04:31 +0300	[thread overview]
Message-ID: <B89DC7E1-9DA1-4B38-96EF-F2AB021F62C9@gmail.com> (raw)
In-Reply-To: <20250301211436.2207-1-akashavkin@gmail.com>

Rules such as the following will always result in the NFT_BREAK verdict code:

# filter input ip option rr ptr 4 counter

Because the function nft_skb_copy_to_reg() returns -EFAULT. This happens because in the skb_copy_bits() function the 'offset > (int)skb->len - len' condition causes a jump to the fault part of the code.

You can verify this with two virtual machines and the python scapy library.

Configure the nftables rule on some virtual machine. From another virtual machine, use scapy to send packet with IP option:

# python3 -m scapy
# >>> send(IP(dst='x.x.x.x', options=IPOption_RR())/ICMP())
# .
# Sent 1 packets.

The 'rr exists counter' rule will show the receiving of one packet, and the 'rr ptr 4 counter' rule will not increment the counter. After applying the patch from the previous email, the 'rr ptr 4 counter' rule will increment the counter. This will happen with other options as well. But for lsrr and ssrr, you must send the packet with the routers parameter filled in. This is due to checks in __ip_options_compile() function.

# send(IP(dst=‘x.x.x.x', options=IPOption_LSRR(routers=[‘x.x.x.x']))/ICMP())

next prev parent reply	other threads:[~2025-03-01 22:04 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-01 21:14 [PATCH] netfilter: nft_exthdr: fix offset with ipv4_find_option() Alexey Kashavkin
2025-03-01 22:04 ` Alexey Kashavkin [this message]
2025-03-13 12:41   ` Alexey Kashavkin
2025-03-12  9:15 ` Florian Westphal
2025-03-12 13:56   ` Alexey Kashavkin
2025-03-12 14:16     ` Florian Westphal
2025-03-12 14:16   ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=B89DC7E1-9DA1-4B38-96EF-F2AB021F62C9@gmail.com \
    --to=akashavkin@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.