From: Florian Westphal <fw@strlen.de>
To: Eric Woudstra <ericwouds@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Nikolay Aleksandrov <razor@blackwall.org>,
Ido Schimmel <idosch@nvidia.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netfilter-devel@vger.kernel.org, bridge@lists.linux.dev,
netdev@vger.kernel.org
Subject: Re: [PATCH v14 nf-next 2/3] netfilter: bridge: Add conntrack double vlan and pppoe
Date: Wed, 9 Jul 2025 00:00:47 +0200 [thread overview]
Message-ID: <aG2VDyHfVsp5L2zR@strlen.de> (raw)
In-Reply-To: <20250708151209.2006140-3-ericwouds@gmail.com>
Eric Woudstra <ericwouds@gmail.com> wrote:
> This adds the capability to conntrack 802.1ad, QinQ, PPPoE and PPPoE-in-Q
> packets that are passing a bridge, only when a conntrack zone is set.
>
> Signed-off-by: Eric Woudstra <ericwouds@gmail.com>
> ---
> net/bridge/netfilter/nf_conntrack_bridge.c | 88 ++++++++++++++++++----
> 1 file changed, 72 insertions(+), 16 deletions(-)
>
> + data_len = ntohs(ph->hdr.length) - 2;
Shouldn't there be some validation on data_len here?
> + if (!pskb_may_pull(skb, offset + sizeof(struct iphdr)))
> + goto do_not_track;
> len = skb_ip_totlen(skb);
> - if (pskb_trim_rcsum(skb, len))
> - return NF_ACCEPT;
> + if (data_len < len)
> + len = data_len;
Hmm. So if ph->hdr.length is smaller than what ip header claims,
len shrinks.
If its higher, then the mismatch is ignored and we only use
the ip header length (i.e., the smaller value).
> + if (pskb_trim_rcsum(skb, offset + len))
> + goto do_not_track;
Is the intent that garbage data_len is caught here and
> if (nf_ct_br_ip_check(skb))
> - return NF_ACCEPT;
here? If so, maybe a comment could help.
> + goto do_not_track;
> }
>
> - if (ret != NF_ACCEPT)
> - return ret;
> + if (ret == NF_ACCEPT)
> + ret = nf_conntrack_in(skb, &bridge_state);
>
> - return nf_conntrack_in(skb, &bridge_state);
> +do_not_track:
> + if (offset) {
if (ret == NF_ACCEPT && offset) { ...
Else skb could have been free'd. There should be test cases for this
functionality included. If we lack test cases for the existing
functionality, which might be the case, please consider submitting
a reduced test case first so it can be applied regardless of the
remaining functionality.
next prev parent reply other threads:[~2025-07-08 22:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-08 15:12 [PATCH v14 nf-next 0/3] conntrack: bridge: add double vlan, pppoe and pppoe-in-q Eric Woudstra
2025-07-08 15:12 ` [PATCH v14 nf-next 1/3] netfilter: utils: nf_checksum(_partial) correct data!=networkheader Eric Woudstra
2025-09-06 21:09 ` Florian Westphal
2025-07-08 15:12 ` [PATCH v14 nf-next 2/3] netfilter: bridge: Add conntrack double vlan and pppoe Eric Woudstra
2025-07-08 22:00 ` Florian Westphal [this message]
2025-09-06 21:11 ` Florian Westphal
2025-09-09 9:17 ` Eric Woudstra
2025-07-08 15:12 ` [PATCH v14 nf-next 3/3] netfilter: nft_chain_filter: Add bridge " Eric Woudstra
2025-07-08 22:02 ` Florian Westphal
2025-07-11 12:55 ` Eric Woudstra
2025-07-11 14:14 ` Florian Westphal
2025-07-12 10:08 ` Eric Woudstra
2025-07-12 10:50 ` Florian Westphal
2025-09-02 8:48 ` Eric Woudstra
2025-09-02 13:18 ` Florian Westphal
2025-09-06 12:26 ` Eric Woudstra
2025-09-06 21:14 ` Florian Westphal
2025-09-09 9:21 ` Eric Woudstra
2025-09-09 14:26 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aG2VDyHfVsp5L2zR@strlen.de \
--to=fw@strlen.de \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ericwouds@gmail.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=razor@blackwall.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.