From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
coreteam@netfilter.org, fw@strlen.de, phil@nwl.cc
Subject: Re: [PATCH 1/4 nf] netfilter: nft_exthdr: skip SCTP chunk evaluation for non-first fragments
Date: Sat, 18 Apr 2026 09:49:22 +0200 [thread overview]
Message-ID: <aeM3gmXM43beA3ot@chamomile> (raw)
In-Reply-To: <20260417183433.4739-1-fmancera@suse.de>
Hi Fernando,
On Fri, Apr 17, 2026 at 08:34:30PM +0200, Fernando Fernandez Mancera wrote:
> The SCTP chunk matching logic in nft_exthdr relies on SCTP common header
> being present at the transport header offset. For fragmented packets at
> IP level, only the first fragment would match this condition.
>
> The nft_exthdr could be used in a PREROUTING chain with a priority lower
> than -400. This would bypass defragmentation. In addition, it can be use
> in stateless environments so it should work on a environment where
> defragmentation is not being performed at all.
Yes, and stateless filtering is still a valid configuration, ie.
nf_conntrack is not loaded.
> Add a check for pkt->fragoff to ensure exthdr SCTP only evaluates
> unfragmented packets or the first fragment in the stream.
I would suggest to squash the three small patches to check for
pkt->fragoff in one patch. The three expressions have been already
around for a while (backporting the combo patch that makes the same
logical change should be easy) and it is basically the same logical
change.
Thanks!
> Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
> Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
> ---
> net/netfilter/nft_exthdr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 7eedf4e3ae9c..8eb708bb8cff 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
> const struct sctp_chunkhdr *sch;
> struct sctp_chunkhdr _sch;
>
> - if (pkt->tprot != IPPROTO_SCTP)
> + if (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)
> goto err;
>
> do {
> --
> 2.53.0
>
next prev parent reply other threads:[~2026-04-18 7:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 18:34 [PATCH 1/4 nf] netfilter: nft_exthdr: skip SCTP chunk evaluation for non-first fragments Fernando Fernandez Mancera
2026-04-17 18:34 ` [PATCH 2/4 nf] netfilter: nft_tproxy: skip " Fernando Fernandez Mancera
2026-04-17 18:34 ` [PATCH 3/4 nf] netfilter: nft_osf: " Fernando Fernandez Mancera
2026-04-17 18:34 ` [PATCH 4/4 nf] netfilter: xtables: fix L4 header parsing " Fernando Fernandez Mancera
2026-04-18 7:51 ` Pablo Neira Ayuso
2026-04-18 7:49 ` Pablo Neira Ayuso [this message]
2026-04-18 9:51 ` [PATCH 1/4 nf] netfilter: nft_exthdr: skip SCTP chunk evaluation " Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeM3gmXM43beA3ot@chamomile \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.