Re: [PATCH nf v3] netfilter: xtables: avoid NFPROTO_UNSPEC where needed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org,
	syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com
Subject: Re: [PATCH nf v3] netfilter: xtables: avoid NFPROTO_UNSPEC where needed
Date: Wed, 9 Oct 2024 23:24:46 +0200	[thread overview]
Message-ID: <Zwb0ngWN7XSPs6lj@calendula> (raw)
In-Reply-To: <20241007092819.4489-1-fw@strlen.de>

On Mon, Oct 07, 2024 at 11:28:16AM +0200, Florian Westphal wrote:
> syzbot managed to call xt_cluster match via ebtables:
> 
>  WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
>  [..]
>  ebt_do_table+0x174b/0x2a40
> 
> Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
> processing.  As this is only useful to restrict locally terminating
> TCP/UDP traffic, register this for ipv4 and ipv6 family only.
> 
> Pablo points out that this is a general issue, direct users of the
> set/getsockopt interface can call into targets/matches that were only
> intended for use with ip(6)tables.
> 
> Check all UNSPEC matches and targets for similar issues:
> 
> - matches and targets are fine except if they assume skb_network_header()
>   is valid -- this is only true when called from inet layer: ip(6) stack
>   pulls the ip/ipv6 header into linear data area.
> - targets that return XT_CONTINUE or other xtables verdicts must be
>   restricted too, they are incompatbile with the ebtables traverser, e.g.
>   EBT_CONTINUE is a completely different value than XT_CONTINUE.
> 
> Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as
> they are provided for use by ip(6)tables.
> 
> The MARK target is also used by arptables, so register for NFPROTO_ARP too.
> 
> This change passes the selftests in iptables.git.

Applied. I editted and appended this for the connbyte chunk:

"While at it, bail out if connbytes fails to enable the corresponding
conntrack family."

     prev parent reply	other threads:[~2024-10-09 21:24 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-07  9:28 [PATCH nf v3] netfilter: xtables: avoid NFPROTO_UNSPEC where needed Florian Westphal
2024-10-09 21:24 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Zwb0ngWN7XSPs6lj@calendula \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.