* Raw payload matching beyond 2040 bits
@ 2022-08-19 10:07 Julien Moutinho
2022-08-19 10:37 ` Florian Westphal
2022-09-07 14:55 ` Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Julien Moutinho @ 2022-08-19 10:07 UTC (permalink / raw)
To: netfilter; +Cc: Dominique Martinet
Hi netfilter@,
Apparently matching beyond 2040 bits (255 bytes) starts again at 0 or something like that.
Not sure whether this is intended or not,
but in this case a warning would be appreciated.
Thanks for your work,
Julien
# nft add rule inet nat prerouting udp dport 4242 @th,2040,128 0x12345678912345678912345678912345 log
# nft add rule inet nat prerouting udp dport 4242 @th,2048,128 0x12345678912345678912345678912345 log
# nft list ruleset | grep 4242
udp dport 4242 @th,2040,128 0x12345678912345678912345678912345 log
udp dport 4242 udp sport 4660 udp dport 22136 udp length 37155 udp checksum 17767 @th,64,64 0x8912345678912345 log
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Raw payload matching beyond 2040 bits
2022-08-19 10:07 Raw payload matching beyond 2040 bits Julien Moutinho
@ 2022-08-19 10:37 ` Florian Westphal
2022-09-07 14:55 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2022-08-19 10:37 UTC (permalink / raw)
To: Julien Moutinho; +Cc: netfilter, Dominique Martinet, netfilter-devel
Julien Moutinho <julm+netfilter@sourcephile.fr> wrote:
[ moving to nf-devel ]
> Hi netfilter@,
>
> Apparently matching beyond 2040 bits (255 bytes) starts again at 0 or something like that.
> Not sure whether this is intended or not,
> but in this case a warning would be appreciated.
This is a kernel bug, the offset is truncated to u8 (modulo 256).
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Raw payload matching beyond 2040 bits
2022-08-19 10:07 Raw payload matching beyond 2040 bits Julien Moutinho
2022-08-19 10:37 ` Florian Westphal
@ 2022-09-07 14:55 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-09-07 14:55 UTC (permalink / raw)
To: Julien Moutinho; +Cc: netfilter, Dominique Martinet
On Fri, Aug 19, 2022 at 12:07:38PM +0200, Julien Moutinho wrote:
> Hi netfilter@,
>
> Apparently matching beyond 2040 bits (255 bytes) starts again at 0 or something like that.
> Not sure whether this is intended or not,
> but in this case a warning would be appreciated.
>
> Thanks for your work,
> Julien
>
> # nft add rule inet nat prerouting udp dport 4242 @th,2040,128 0x12345678912345678912345678912345 log
>
> # nft add rule inet nat prerouting udp dport 4242 @th,2048,128 0x12345678912345678912345678912345 log
>
> # nft list ruleset | grep 4242
> udp dport 4242 @th,2040,128 0x12345678912345678912345678912345 log
> udp dport 4242 udp sport 4660 udp dport 22136 udp length 37155 udp checksum 17767 @th,64,64 0x8912345678912345 log
Upstream kernel fix:
commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun Aug 21 11:47:04 2022 +0200
netfilter: nft_payload: report ERANGE for too long offset and length
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-07 14:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-19 10:07 Raw payload matching beyond 2040 bits Julien Moutinho
2022-08-19 10:37 ` Florian Westphal
2022-09-07 14:55 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox