[PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling

[PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling

[Florian Westphal]

sashiko.dev noticed that similar bug pattern exists in arpt_mangle:
  "IEEE1394 ARP payloads omit the target hardware address, advancing
  arpptr by hln after the source IP address skips over the actual target
  IP address."

Apply similar fix: check dev->type.  If we're asked to mangle what
doesn't exist, drop the packet.

Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Collides with a inflight patch.
 I'll rebase or discard depending on what netdev@ does.

 net/ipv4/netfilter/arpt_mangle.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index a4e07e5e9c11..5a3560e1b59b 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -13,6 +13,7 @@ static unsigned int
 target(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct arpt_mangle *mangle = par->targinfo;
+	bool has_tgt_devaddr = true;
 	const struct arphdr *arp;
 	unsigned char *arpptr;
 	int pln, hln;
@@ -39,13 +40,33 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
 		memcpy(arpptr, &mangle->u_s.src_ip, pln);
 	}
 	arpptr += pln;
+
+	if (IS_ENABLED(CONFIG_FIREWIRE_NET)) {
+		const struct net_device *dev = skb->dev;
+
+		if (!dev) {
+			/* can't munge without arphrd type. */
+			if (mangle->flags & (ARPT_MANGLE_TDEV|ARPT_MANGLE_TIP))
+				return NF_DROP;
+			return mangle->target;
+		}
+
+		if (dev->type == ARPHRD_IEEE1394)
+			has_tgt_devaddr = false;
+	}
+
 	if (mangle->flags & ARPT_MANGLE_TDEV) {
+		if (!has_tgt_devaddr)
+			return NF_DROP;
+
 		if (ARPT_DEV_ADDR_LEN_MAX < hln ||
 		   (arpptr + hln > skb_tail_pointer(skb)))
 			return NF_DROP;
 		memcpy(arpptr, mangle->tgt_devaddr, hln);
 	}
-	arpptr += hln;
+	if (has_tgt_devaddr)
+		arpptr += hln;
+
 	if (mangle->flags & ARPT_MANGLE_TIP) {
 		if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
 		   (arpptr + pln > skb_tail_pointer(skb)))
-- 
2.52.0

Re: [PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling

[Pablo Neira Ayuso]

Hi Florian,

On Fri, Apr 17, 2026 at 03:19:05PM +0200, Florian Westphal wrote:
> sashiko.dev noticed that similar bug pattern exists in arpt_mangle:
>   "IEEE1394 ARP payloads omit the target hardware address, advancing
>   arpptr by hln after the source IP address skips over the actual target
>   IP address."
> 
> Apply similar fix: check dev->type.  If we're asked to mangle what
> doesn't exist, drop the packet.

I included a fix for this in:

https://patchwork.kernel.org/project/netdevbpf/patch/20260417091422.342615-1-pablo@netfilter.org/

I forgot to mangle the patch title though to:

        netfilter: arp_tables: fix IEEE1394 ARP payload parsing

> Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  Collides with a inflight patch.

Are you referring to the patch I made?

>  I'll rebase or discard depending on what netdev@ does.
> 
>  net/ipv4/netfilter/arpt_mangle.c | 23 ++++++++++++++++++++++-
>  1 file changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
> index a4e07e5e9c11..5a3560e1b59b 100644
> --- a/net/ipv4/netfilter/arpt_mangle.c
> +++ b/net/ipv4/netfilter/arpt_mangle.c
> @@ -13,6 +13,7 @@ static unsigned int
>  target(struct sk_buff *skb, const struct xt_action_param *par)
>  {
>  	const struct arpt_mangle *mangle = par->targinfo;
> +	bool has_tgt_devaddr = true;
>  	const struct arphdr *arp;
>  	unsigned char *arpptr;
>  	int pln, hln;
> @@ -39,13 +40,33 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
>  		memcpy(arpptr, &mangle->u_s.src_ip, pln);
>  	}
>  	arpptr += pln;
> +
> +	if (IS_ENABLED(CONFIG_FIREWIRE_NET)) {
> +		const struct net_device *dev = skb->dev;
> +
> +		if (!dev) {
> +			/* can't munge without arphrd type. */
> +			if (mangle->flags & (ARPT_MANGLE_TDEV|ARPT_MANGLE_TIP))
> +				return NF_DROP;
> +			return mangle->target;
> +		}
> +
> +		if (dev->type == ARPHRD_IEEE1394)
> +			has_tgt_devaddr = false;
> +	}
> +
>  	if (mangle->flags & ARPT_MANGLE_TDEV) {
> +		if (!has_tgt_devaddr)
> +			return NF_DROP;
> +
>  		if (ARPT_DEV_ADDR_LEN_MAX < hln ||
>  		   (arpptr + hln > skb_tail_pointer(skb)))
>  			return NF_DROP;
>  		memcpy(arpptr, mangle->tgt_devaddr, hln);
>  	}
> -	arpptr += hln;
> +	if (has_tgt_devaddr)
> +		arpptr += hln;
> +
>  	if (mangle->flags & ARPT_MANGLE_TIP) {
>  		if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
>  		   (arpptr + pln > skb_tail_pointer(skb)))
> -- 
> 2.52.0
> 
> 

Re: [PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Hi Florian,
> 
> On Fri, Apr 17, 2026 at 03:19:05PM +0200, Florian Westphal wrote:
> > sashiko.dev noticed that similar bug pattern exists in arpt_mangle:
> >   "IEEE1394 ARP payloads omit the target hardware address, advancing
> >   arpptr by hln after the source IP address skips over the actual target
> >   IP address."
> > 
> > Apply similar fix: check dev->type.  If we're asked to mangle what
> > doesn't exist, drop the packet.
> 
> I included a fix for this in:
> 
> https://patchwork.kernel.org/project/netdevbpf/patch/20260417091422.342615-1-pablo@netfilter.org/

I saw that *after* I had made this patch.

> >  Collides with a inflight patch.
> 
> Are you referring to the patch I made?

Yes.