From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-dl1-f50.google.com (mail-dl1-f50.google.com [74.125.82.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D602C3E3C4C
	for <netdev@vger.kernel.org>; Sat, 16 May 2026 15:23:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.50
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778945012; cv=none; b=XxvBSMhasv+6QwhLFeyADcP3TIlyaYUmRbEQD5YPa/S66jEYCgPLA2SE2i8tBf6Tas2x5NzCagbIGS0fCLmmQItCPzoVnSI8Quvj9idOE1XKe3y6Et9rSgfYblIosXbnhp1A02aBl+HBLbKzrf3tkOTjlSAF2dwBAVTgjKonkhE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778945012; c=relaxed/simple;
	bh=tl+wcq6ObIaSLoheOE6JBGo3uGujGoAPvnIeqn/mRm8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=KpGxE8rH+GgWcNG9PZK2B3TIo+SIx7E3u61z3I4z95v9aaHgeEotMKr0r/OOjpKh/yXkT4dkfUfYLUHZqw9jYakw1v2CFcCJwJkVk+Gtw9Eg5eF7l2iLI6Aef3sdJHyHZvvOCISC0DEfy0p6NEfA+p97b/SiqYmFWUopOk8QadU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l1B9jf9z; arc=none smtp.client-ip=74.125.82.50
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l1B9jf9z"
Received: by mail-dl1-f50.google.com with SMTP id a92af1059eb24-1309f4ee97fso781624c88.1
        for <netdev@vger.kernel.org>; Sat, 16 May 2026 08:23:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778945009; x=1779549809; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=gPSGOLDEj02HfkVCX3UX3Jxtg2REZTH7Fxg7/PpQ1zY=;
        b=l1B9jf9z+htu3jbtWvt2rXGtayeN/v8/awjBeMGZCsnZncWq0DivjjzwsaDycVRUUJ
         ILabYhkbC4Wb8bB04ZIIuA/5yjGEHMwp2dJlHvF5++DELL+k+Tl4CJK7ArVZvP3TSp4U
         M02tcJ5oNEQusKeVfQjpZ2WH57X/SdfYTe+cyAm03I7R+HCknEeBR7PJ3/OUjbPk+gdV
         1mQR2eBYBF+9NM84rq02M2w0BogTBUEM80Szp0h/rE75CNs09r+HMgRMs5BPiMni0XLv
         PGEEcabLMECDw7LZLOLNbvCTEIpbTs9rPl9GHW9WE0swqoQFJ4n1LbhiCG4DK12LAggq
         xdbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778945009; x=1779549809;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=gPSGOLDEj02HfkVCX3UX3Jxtg2REZTH7Fxg7/PpQ1zY=;
        b=Nx0kOOxaD8MMW1qA+bMar/w5bCZ9duBn8LeAk8CVazU+lcQ16snqjtsO+5OlqLwpfl
         7lHYUseUiaKIlUsnUCTryVm/iCckuhhINMWyFPzeO2hpEZY1OPnbcpQTZUwb8A+4bYZd
         yz8/bh7r2gByBuIemSFBtoUlGNzulc2pZfYTKoGDQWQhSO353GGsczLvTzYGPHrpjgo/
         4Gws3MW7eytWrYqHymBMocdm/pd/EUlhszf0tMpNTHLWH/Bqp/l8TKuMkX4a/jgijss1
         KpWJCZs4thlHnuTVcW/ZyMdYKFtJsxKsrHU5Cp4VsLa4twJGA+paXeNcHVcMmLI/GEMi
         KHHQ==
X-Forwarded-Encrypted: i=1; AFNElJ+lq8A+ZQ6SFtTkq3PUxMka2myCdSOBV3zmLM2GS74Ssuv9Vfy1+e7THQNQM8WFXQJEm37VUOQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YyRK/FMK9LaaL3bnkqpTvNMDndNXuugfDgpl0yzWtLUQ9hgJv2y
	e9doj/GGQPaPiX4pJc9hW+geeaQfYd2LSkhJjt03p1pPTtjlGuX+b2IF
X-Gm-Gg: Acq92OFgvVgUyIFRUP8liIOGrMGwsqipWGcBSZF3ZV+hy1725vUCyygTPhmVI6BkbHZ
	wRRvo38K474B82GGjUCgacnTVyRgwB284rBtNcgFkQ9u3uICwDCpYxrisPhHMdZTVsnIypqdLTv
	rrJtH8+coTU4DAC1drUNy9HNjVtFBllPdU76BJw5KFgIRBEg6O/rDIXveZP9lKnaPFwarhZShej
	8jpcRmhRmf1ADYf+YZAeqgckxMWqyIF60jcguSAHNkiKrwRySFilVFBbIa+4l/DvM3mNHkM3DNq
	lIoU8e/jN/376vrRqWq0drX43Ve0AnJvRLfJfVv5v23JOj7aucslyFksHgqp3cQToz6YQzMSWsj
	39tpnXhYmSR0sGvxL/IU37QUPWABW//GY7Zsk/APBeyuvM7K9A37Aek+BRtlheLyk0PnZCyS67s
	ihJRt9N5ArdTL9oiDcLrxwoEdcgdHBtiPKNLGjo4JPwVin
X-Received: by 2002:a05:7300:7241:b0:2d9:a799:3c4f with SMTP id 5a478bee46e88-303986a68d3mr4281033eec.24.1778945008798;
        Sat, 16 May 2026 08:23:28 -0700 (PDT)
Received: from localhost.localdomain ([148.135.103.3])
        by smtp.gmail.com with ESMTPSA id a92af1059eb24-134cc33a618sm14473250c88.12.2026.05.16.08.23.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 16 May 2026 08:23:28 -0700 (PDT)
From: Qi Tang <tpluszz77@gmail.com>
To: pablo@netfilter.org,
	fw@strlen.de,
	phil@nwl.cc
Cc: netfilter-devel@vger.kernel.org,
	netdev@vger.kernel.org,
	coreteam@netfilter.org,
	davem@davemloft.net,
	kuba@kernel.org,
	pabeni@redhat.com,
	edumazet@google.com,
	horms@kernel.org,
	herbert@gondor.apana.org.au,
	michael.bommarito@gmail.com,
	lyutoon@gmail.com,
	Qi Tang <tpluszz77@gmail.com>
Subject: [PATCH nf] netfilter: disable payload mangling in userns
Date: Sat, 16 May 2026 23:23:21 +0800
Message-ID: <20260516152321.2676564-1-tpluszz77@gmail.com>
X-Mailer: git-send-email 2.47.3
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Florian Westphal <fw@strlen.de>

Several parts of network stack rely on iph->ihl validation
done by network stack before PRE_ROUTING.

Disable this feature for user namespaces for now.

This could be relaxed later.  Example:
 - allow userns only for ingress hook.
 - allow userns write if base is transport header
 - allow userns write if base is linklayer and offset
   below network header offset
 - allow userns write for ipv4 if offset+len match saddr/daddr
 - allow userns write for ipv6 if offset+len match saddr/daddr
 ... etc.

tcp option handling might be safe even for LOCAL_IN, as LOCAL_IN gets
invoked before tcp stack, but this turns it off too.
optstrip remains enabled, see no problem with that one.

I don't think these are the only means to alter packets, but these
appear to be relatively prominent.

Another option would be to restrict this generally, however, this
is harder to do for nfqueue.  For nftables we know where the
modification happens and can even reject a subset from netlink path
directly.  But for nfqueue, we'd need to 'revalidate' at least
ip/ipv6 header for ipv4/ipv6 families.  Bridge path might be okay with
arbitray header modifications.

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Michael Bommarito <michael.bommarito@gmail.com>
Reported-by: Qi Tang <tpluszz77@gmail.com>
Reported-by: Tong Liu <lyutoon@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Qi Tang <tpluszz77@gmail.com>
Link: https://lore.kernel.org/netfilter-devel/20260515100411.3141-1-fw@strlen.de/
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
---
Tested on net.git tip: unprivileged userns nft @nh,*,* set
rules hit -EPERM at rule install.

 net/netfilter/nfnetlink_queue.c | 3 +++
 net/netfilter/nft_exthdr.c      | 3 +++
 net/netfilter/nft_payload.c     | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 58304fd1f70ff..e1e1d11fdf04f 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1141,6 +1141,9 @@ nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int di
 {
 	struct sk_buff *nskb;
 
+	if (e->state.net->user_ns != &init_user_ns)
+		return -EPERM;
+
 	if (diff < 0) {
 		unsigned int min_len = skb_transport_offset(e->skb);
 
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index e6a07c0df2079..577a15383e986 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -551,6 +551,9 @@ static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
 	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
 	int err;
 
+	if (ctx->net->user_ns != &init_user_ns)
+		return -EPERM;
+
 	if (!tb[NFTA_EXTHDR_SREG] ||
 	    !tb[NFTA_EXTHDR_TYPE] ||
 	    !tb[NFTA_EXTHDR_OFFSET] ||
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 01e13e5255a94..484a5490832e4 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -917,6 +917,9 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
 	struct nft_payload_set *priv = nft_expr_priv(expr);
 	int err;
 
+	if (ctx->net->user_ns != &init_user_ns)
+		return -EPERM;
+
 	priv->base        = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
 	priv->len         = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
 
-- 
2.47.3