From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Maxim Mikityanskiy <maxim@isovalent.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 6.12 06/22] netfilter: socket: Lookup orig tuple for IPv6 SNAT
Date: Thu, 3 Apr 2025 16:20:16 +0100 [thread overview]
Message-ID: <20250403151622.225282507@linuxfoundation.org> (raw)
In-Reply-To: <20250403151622.055059925@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Mikityanskiy <maxtram95@gmail.com>
commit 932b32ffd7604fb00b5c57e239a3cc4d901ccf6e upstream.
nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to
restore the original 5-tuple in case of SNAT, to be able to find the
right socket (if any). Then socket_match() can correctly check whether
the socket was transparent.
However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this
conntrack lookup, making xt_socket fail to match on the socket when the
packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6.
IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as
pods' addresses are in the fd00::/8 ULA subnet and need to be replaced
with the node's external address. Cilium leverages Envoy to enforce L7
policies, and Envoy uses transparent sockets. Cilium inserts an iptables
prerouting rule that matches on `-m socket --transparent` and redirects
the packets to localhost, but it fails to match SNATed IPv6 packets due
to that missing conntrack lookup.
Closes: https://github.com/cilium/cilium/issues/37932
Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT")
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/netfilter/nf_socket_ipv6.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/net/ipv6/netfilter/nf_socket_ipv6.c
+++ b/net/ipv6/netfilter/nf_socket_ipv6.c
@@ -103,6 +103,10 @@ struct sock *nf_sk_lookup_slow_v6(struct
struct sk_buff *data_skb = NULL;
int doff = 0;
int thoff = 0, tproto;
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn const *ct;
+#endif
tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
if (tproto < 0) {
@@ -136,6 +140,25 @@ struct sock *nf_sk_lookup_slow_v6(struct
return NULL;
}
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ /* Do the lookup with the original socket address in
+ * case this is a reply packet of an established
+ * SNAT-ted connection.
+ */
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct &&
+ ((tproto != IPPROTO_ICMPV6 &&
+ ctinfo == IP_CT_ESTABLISHED_REPLY) ||
+ (tproto == IPPROTO_ICMPV6 &&
+ ctinfo == IP_CT_RELATED_REPLY)) &&
+ (ct->status & IPS_SRC_NAT_DONE)) {
+ daddr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.in6;
+ dport = (tproto == IPPROTO_TCP) ?
+ ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.tcp.port :
+ ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
+ }
+#endif
+
return nf_socket_get_sock_v6(net, data_skb, doff, tproto, saddr, daddr,
sport, dport, indev);
}
next prev parent reply other threads:[~2025-04-03 15:24 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 15:20 [PATCH 6.12 00/22] 6.12.22-rc1 review Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 01/22] ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 02/22] HID: hid-plantronics: Add mic mute mapping and generalize quirks Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 03/22] atm: Fix NULL pointer dereference Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 04/22] nfsd: fix legacy client tracking initialization Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 05/22] drm/amd/display: Dont write DP_MSTM_CTRL after LT Greg Kroah-Hartman
2025-04-03 15:20 ` Greg Kroah-Hartman [this message]
2025-04-03 15:20 ` [PATCH 6.12 07/22] ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 08/22] counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 09/22] counter: microchip-tcb-capture: Fix undefined counter channel state on probe Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 10/22] tty: serial: 8250: Add some more device IDs Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 11/22] tty: serial: 8250: Add Brainboxes XC devices Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 12/22] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 13/22] net: usb: qmi_wwan: add Telit Cinterion FN990B composition Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 14/22] net: usb: qmi_wwan: add Telit Cinterion FE990B composition Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 15/22] net: usb: usbnet: restore usb%d name exception for local mac addresses Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 16/22] usb: xhci: Dont skip on Stopped - Length Invalid Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 17/22] usb: xhci: Apply the link chain quirk on NEC isoc endpoints Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 18/22] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 19/22] perf tools: Fix up some comments and code to properly use the event_source bus Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 20/22] serial: stm32: do not deassert RS485 RTS GPIO prematurely Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 21/22] serial: 8250_dma: terminate correct DMA in tx_dma_flush() Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.12 22/22] bcachefs: bch2_ioctl_subvolume_destroy() fixes Greg Kroah-Hartman
2025-04-03 21:44 ` [PATCH 6.12 00/22] 6.12.22-rc1 review Peter Schneider
2025-04-04 0:07 ` Florian Fainelli
2025-04-04 12:03 ` Mark Brown
2025-04-04 14:47 ` Shuah Khan
2025-04-04 19:30 ` Jon Hunter
2025-04-05 2:18 ` Ron Economos
2025-04-05 6:29 ` Naresh Kamboju
2025-04-05 7:28 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250403151622.225282507@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=maxim@isovalent.com \
--cc=pablo@netfilter.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox