[PATCH] netfilter: allow ipv6 fragments to arrive on different devices

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfilter: allow ipv6 fragments to arrive on different devices
@ 2024-08-06 10:57 Tom Hughes
  2024-08-06 11:28 ` Florian Westphal
  2024-08-06 11:40 ` [PATCH v2] " Tom Hughes
  0 siblings, 2 replies; 4+ messages in thread
From: Tom Hughes @ 2024-08-06 10:57 UTC (permalink / raw)
  To: pablo, kadlec, netfilter-devel; +Cc: netdev, Tom Hughes

Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
for multicast and link-local packets") modified the ipv6 fragment
reassembly logic to distinguish frag queues by device for multicast
and link-local packets but in fact only the main reassembly code
limits the use of the device to those address types and the netfilter
reassembly code uses the device for all packets.

This means that if fragments of a packet arrive on different interfaces
then netfilter will fail to reassemble them and the fragments will be
expired without going any further through the filters.

Signed-off-by: Tom Hughes <tom@compton.nu>
---
 net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 6f0844c9315d..4120e67a8ce6 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -154,6 +154,10 @@ static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user,
 	};
 	struct inet_frag_queue *q;

+	if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST |
+					    IPV6_ADDR_LINKLOCAL)))
+		key.iif = 0;
+
 	q = inet_frag_find(nf_frag->fqdir, &key);
 	if (!q)
 		return NULL;
-- 
2.45.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: allow ipv6 fragments to arrive on different devices
  2024-08-06 10:57 [PATCH] netfilter: allow ipv6 fragments to arrive on different devices Tom Hughes
@ 2024-08-06 11:28 ` Florian Westphal
  2024-08-06 11:38   ` Tom Hughes
  2024-08-06 11:40 ` [PATCH v2] " Tom Hughes
  1 sibling, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2024-08-06 11:28 UTC (permalink / raw)
  To: Tom Hughes; +Cc: pablo, kadlec, netfilter-devel, netdev

Tom Hughes <tom@compton.nu> wrote:
> Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
> for multicast and link-local packets") modified the ipv6 fragment
> reassembly logic to distinguish frag queues by device for multicast
> and link-local packets but in fact only the main reassembly code
> limits the use of the device to those address types and the netfilter
> reassembly code uses the device for all packets.
> 
> This means that if fragments of a packet arrive on different interfaces
> then netfilter will fail to reassemble them and the fragments will be
> expired without going any further through the filters.
> 
> Signed-off-by: Tom Hughes <tom@compton.nu>

Probably:
Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")

?

Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex
for types other than mcast/linklocal.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: allow ipv6 fragments to arrive on different devices
  2024-08-06 11:28 ` Florian Westphal
@ 2024-08-06 11:38   ` Tom Hughes
  0 siblings, 0 replies; 4+ messages in thread
From: Tom Hughes @ 2024-08-06 11:38 UTC (permalink / raw)
  To: Florian Westphal; +Cc: pablo, kadlec, netfilter-devel, netdev

On 06/08/2024 12:28, Florian Westphal wrote:
> Tom Hughes <tom@compton.nu> wrote:
>> Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
>> for multicast and link-local packets") modified the ipv6 fragment
>> reassembly logic to distinguish frag queues by device for multicast
>> and link-local packets but in fact only the main reassembly code
>> limits the use of the device to those address types and the netfilter
>> reassembly code uses the device for all packets.
>>
>> This means that if fragments of a packet arrive on different interfaces
>> then netfilter will fail to reassemble them and the fragments will be
>> expired without going any further through the filters.
>>
>> Signed-off-by: Tom Hughes <tom@compton.nu>
> 
> Probably:
> Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
> 
> ?
> 
> Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex
> for types other than mcast/linklocal.

Ah yes... I had found that change and knew it changed how the main
reassembly code implemented the exception but hadn't realised that
before that netfilter shared the comparison routine.

I'll update the patch to add that.

Tom

-- 
Tom Hughes (tom@compton.nu)
http://compton.nu/


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2] netfilter: allow ipv6 fragments to arrive on different devices
  2024-08-06 10:57 [PATCH] netfilter: allow ipv6 fragments to arrive on different devices Tom Hughes
  2024-08-06 11:28 ` Florian Westphal
@ 2024-08-06 11:40 ` Tom Hughes
  1 sibling, 0 replies; 4+ messages in thread
From: Tom Hughes @ 2024-08-06 11:40 UTC (permalink / raw)
  To: pablo, kadlec, netfilter-devel; +Cc: netdev, Tom Hughes

Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
for multicast and link-local packets") modified the ipv6 fragment
reassembly logic to distinguish frag queues by device for multicast
and link-local packets but in fact only the main reassembly code
limits the use of the device to those address types and the netfilter
reassembly code uses the device for all packets.

This means that if fragments of a packet arrive on different interfaces
then netfilter will fail to reassemble them and the fragments will be
expired without going any further through the filters.

Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
Signed-off-by: Tom Hughes <tom@compton.nu>
---
 net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 6f0844c9315d..4120e67a8ce6 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -154,6 +154,10 @@ static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user,
 	};
 	struct inet_frag_queue *q;

+	if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST |
+					    IPV6_ADDR_LINKLOCAL)))
+		key.iif = 0;
+
 	q = inet_frag_find(nf_frag->fqdir, &key);
 	if (!q)
 		return NULL;
-- 
2.45.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-08-06 11:41 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-06 10:57 [PATCH] netfilter: allow ipv6 fragments to arrive on different devices Tom Hughes
2024-08-06 11:28 ` Florian Westphal
2024-08-06 11:38   ` Tom Hughes
2024-08-06 11:40 ` [PATCH v2] " Tom Hughes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).