From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Rahul Sharma <rsharma@arista.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments
Date: Thu, 8 Jan 2015 22:11:23 +0100 [thread overview]
Message-ID: <20150108211123.GA4140@salvia> (raw)
In-Reply-To: <20150108205328.GA3361@salvia>
On Thu, Jan 08, 2015 at 09:53:28PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 07, 2015 at 11:43:16AM +0100, Hannes Frederic Sowa wrote:
> > > >> @@ -250,9 +251,7 @@ int ipv6_find_hdr(const struct sk_buff *
> > > >>
> > > >> _frag_off = ntohs(*fp) & ~0x7;
> > > >> if (_frag_off) {
> > > >> - if (target < 0 &&
> > > >> - ((!ipv6_ext_hdr(hp->nexthdr)) ||
> > > >
> > > > This check assumes that the following headers cannot show up in the
> > > > fragmented part of the IPv6 packet:
> > > >
> > > > 12 bool ipv6_ext_hdr(u8 nexthdr)
> > > > 13 {
> > > > 14 /*
> > > > 15 * find out if nexthdr is an extension header or a protocol
> > > > 16 */
> > > > 17 return (nexthdr == NEXTHDR_HOP) ||
> > > > 18 (nexthdr == NEXTHDR_ROUTING) ||
> > > > 19 (nexthdr == NEXTHDR_FRAGMENT) ||
> > > > 20 (nexthdr == NEXTHDR_AUTH) ||
> > > > 21 (nexthdr == NEXTHDR_NONE) ||
> > > > 22 (nexthdr == NEXTHDR_DEST);
> > > >
> > > >> - hp->nexthdr == NEXTHDR_NONE)) {
> > > >> + if (target < 0) {
> > > >> if (fragoff)
> > > >> *fragoff = _frag_off;
> > > >> return hp->nexthdr;
> > > >> --
> > > >> To unsubscribe from this list: send the line "unsubscribe netdev" in
> > > >> the body of a message to majordomo@vger.kernel.org
> > > >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> > >
> > > I think this is incorrect. Authentication header shows up in the
> > > fragmentable part of the original IPv6 packet. So, for the non-first
> > > fragments the next-header field value can be NEXTHDR_AUTH.
> >
> > Pablo's mail got me thinking again.
> >
> > In general, IPv6 extension headers can appear in any order and stacks
> > must be process them. Fragmentation adds a limitation, that some
> > extension headers do not make sense and don't have any effect if they
> > appear after a fragmentation header (HbH and ROUTING).
> >
> > Looking at the rest of the function we don't check for HBHHDR or RTHDR
> > following a fragmentation header either if we process the first fragment
> > (core stack only processes HBH if directly following the ipv6 header
> > anyway).
> >
> > So, in my opinion, it is safe to completely remove this check and it
> > would align if the rest of the extension processing logic. The callers
> > all seem fine with that.
> >
> > Pablo, what do you think?
>
> I'm afraid we cannot just get rid of that !ipv6_ext_hdr() check. The
> ipv6_find_hdr() function is designed to return the transport protocol.
> After the proposed change, it will return extension header numbers.
> This will break existing ip6tables rulesets since the `-p' option
> relies on this function to match the transport protocol.
>
> Note that the AH header is skipped (see code a bit below this
> problematic fragmentation handling) so the follow up header after the
> AH header is returned as the transport header.
>
> We can probably return the AH protocol number for non-1st fragments.
> However, that would be something new to ip6tables since nobody has
> ever seen packet matching `-p ah' rules.
# ip6tables -I INPUT -p ah
Warning: never matched protocol: ah. use extension match instead.
next prev parent reply other threads:[~2015-01-08 21:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAFB3abzYNYqtzd_n+Ym0Lo=DYbV0HPU=Tqw=stALNnu188hMKQ@mail.gmail.com>
2015-01-06 22:47 ` [PATCH net] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments Pablo Neira Ayuso
2015-01-07 5:41 ` Rahul Sharma
2015-01-07 10:43 ` Hannes Frederic Sowa
2015-01-07 20:48 ` Rahul Sharma
2015-01-08 13:11 ` Hannes Frederic Sowa
2015-01-08 20:53 ` Pablo Neira Ayuso
2015-01-08 21:11 ` Pablo Neira Ayuso [this message]
2015-01-08 22:39 ` Hannes Frederic Sowa
2015-01-09 0:05 ` Pablo Neira Ayuso
2015-01-09 7:18 ` Rahul Sharma
2015-01-09 11:34 ` Hannes Frederic Sowa
2015-01-09 11:45 ` Pablo Neira Ayuso
2015-01-09 15:50 ` Hannes Frederic Sowa
2015-01-12 11:08 ` Rahul Sharma
2015-01-12 11:51 ` Pablo Neira Ayuso
2015-01-13 4:23 ` Rahul Sharma
2015-01-13 10:11 ` Hannes Frederic Sowa
2015-01-22 11:24 ` Rahul Sharma
2015-01-09 11:36 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150108211123.GA4140@salvia \
--to=pablo@netfilter.org \
--cc=hannes@stressinduktion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rsharma@arista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).