[PATCH nf] netfilter: nf_tables_netdev: set nft_pktinfo field for non-IP traffic

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nf] netfilter: nf_tables_netdev: set nft_pktinfo field for non-IP traffic
@ 2016-08-17 15:14 Pablo Neira Ayuso
  2016-08-17 15:28 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-17 15:14 UTC (permalink / raw)
  To: netfilter-devel; +Cc: fw

For non-IP traffic seen from the netdev family, set nft_pktinfo fields
other the value of these fields is garbage.

This patch sets transport protocol number to IPPROTO_RAW since 0 means
IPPROTO_IP, then zero transport and fragment offsets.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_tables.h | 10 ++++++++++
 net/netfilter/nf_tables_netdev.c  |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index f2f1339..688a78b 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -36,6 +36,16 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
 	pkt->pf = pkt->xt.family = state->pf;
 }
 
+static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
+					  struct sk_buff *skb,
+					  const struct nf_hook_state *state)
+{
+	nft_set_pktinfo(pkt, skb, state);
+	pkt->tprot = IPPROTO_RAW;
+	pkt->xt.thoff = 0;
+	pkt->xt.fragoff = 0;
+}
+
 /**
  * 	struct nft_verdict - nf_tables verdict
  *
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 5eefe4a..2556986 100644
--- a/net/netfilter/nf_tables_netdev.c
+++ b/net/netfilter/nf_tables_netdev.c
@@ -102,7 +102,7 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
 		nft_netdev_set_pktinfo_ipv6(&pkt, skb, state);
 		break;
 	default:
-		nft_set_pktinfo(&pkt, skb, state);
+		nft_set_pktinfo_unspec(&pkt, skb, state);
 		break;
 	}
 
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH nf] netfilter: nf_tables_netdev: set nft_pktinfo field for non-IP traffic
  2016-08-17 15:14 [PATCH nf] netfilter: nf_tables_netdev: set nft_pktinfo field for non-IP traffic Pablo Neira Ayuso
@ 2016-08-17 15:28 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-17 15:28 UTC (permalink / raw)
  To: netfilter-devel; +Cc: fw

On Wed, Aug 17, 2016 at 05:14:59PM +0200, Pablo Neira Ayuso wrote:
> For non-IP traffic seen from the netdev family, set nft_pktinfo fields
> other the value of these fields is garbage.

Will send a v2. It seems we can leave unset field in bridge too for
non-IP traffic.

This should be a problem since nft doesn't generate bytecode using
expression that require this fields.

But given that we assume the nftables VM can be used rawly by anyone,
entirely bypassing libraries and nft, it is good to have this
sanitized.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-08-17 15:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-17 15:14 [PATCH nf] netfilter: nf_tables_netdev: set nft_pktinfo field for non-IP traffic Pablo Neira Ayuso
2016-08-17 15:28 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).