From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34CC93C1413 for ; Fri, 29 May 2026 10:44:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780051453; cv=none; b=D/wdcxv85kgdoOzBTUKe+d7ej6gMEdsgG94if3JBeLI0S/eg045XMoNF8/n2168rdOsFxzo4LA/o2neSfXQQ1ApYTMSHW6xnl5oroG6nwGoNu6ccvg+Ywv/5RL1fmf7gIGrkDLsgiBViTUGa7sygGL2AFkExz/zN2ht8ljGFVqs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780051453; c=relaxed/simple; bh=I5S8k/JMKwGUwSZMT68XJfAURo2N9wKPHUe4tpEhYjY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DQoQ0vmuFLHqbYA8KLMZYCZgtoge+oLSoemCWRYyM5xqcK6zv2mB6vvlXfTkyGsxYEGpF03VT8dq0+Fi0WlNe/z+C12Ci1u04tQLJW2hsYLAQEvgMCoV/hNW36ZI7157GiA23Re3YoFJUW9lwvE7hN0C45EnQYd29GfC1DLZrDM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jpdAWPvL; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jpdAWPvL" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-8353ca0f1f1so6350454b3a.1 for ; Fri, 29 May 2026 03:44:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780051451; x=1780656251; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dEo/wAF2Vg4x050FkAPkUeP1qeuJRwK4JVX4fGCPq9o=; b=jpdAWPvLXL/6AnocOgYKW9yHV6WwPO4S6Qe4PbHduN8q+13NGQdbe3QxqhfGaz1wHp ePZhwWzaYyY97KEi8jWiO9O0k+h+QY9E3Plvt4v1HsWdcbYDiZdJbJgs5pIusLjuSQXe vF0XqIi39Yzo3ehga8niAMLv1sMQmaOfTJcr9vjLkLuiFJ3ovR07ifEOrhmaBwaAowV5 Z8toqXAC08NbV+Ea88z12IKX494x/BV5lfc1Kc4W5o5iMR6mfSfZnA5EsdM8UX4KuAxF iFuKCF1gKT1p+XCbRRmKtHOT6dIdboS9eydTfO2XRjqkVIkQvhNucEG9PjMGAtKfofFI oGdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780051451; x=1780656251; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dEo/wAF2Vg4x050FkAPkUeP1qeuJRwK4JVX4fGCPq9o=; b=VbzZM6wJaL7ysneGzlrSbRcEvbTjML+LB0kp90xMW0TB/p1sSpKA3KP5F+RokrJZEV CKzKCNxCWVyeTnFlhdg4bHex0SYq74zgUp5rTgateFAVL5QMuVBhg6pyhQuXJh460l/I mPB/iVwL9sAK3bIPwdhnMiUWxkIcKUqnC1VFWrh2HY8d13DW65Kq36M+n8sqvAYVJB/C K6+IamSA5Yghkjnf7xs+Uq74rx62jLlJsjtV86G3bjBbc7T2hhYxznfT1hvFpMCXGtXl CwSTdSsgnbPXLR4fMKTRQXnXZYe8HA0euNrNT5vqFvHQVU0LXve7JeBn0susj1EUY9fX lE8g== X-Forwarded-Encrypted: i=1; AFNElJ+onm5WHR7Twwx9QlKT+MQ6fh9Kgds0SFndqRiCqsXIK+K1r2H6+WCOKyvI7LDwerSPRvpmdr0=@vger.kernel.org X-Gm-Message-State: AOJu0Yx0COQDBrFoeAZLyqo3tCrZwp1PPd7Bsu3baGjPOVsme+yiZaZ/ VuW15EWPGiUFs86S5XX52XLwmZzQYwR7rut1KDcNtrGtipHFJ+pTSWdVkepfXO4w X-Gm-Gg: Acq92OEmMM8VYvUL4X/SgCzj0tNPZvQOWKYE4veP5kCREPnHcc3HPnKbH40viwmpgxz Y38Bw2lbRZJcvjXG8nJUJiQAT0lD9tKFac/BwfZamVIxr0+vnFSr0mDOzAri642dw38hH0iCJ7o eaNTYH7p1pRM9jBdDd6LQxWzVgH7A8Gu3T6fHko5M+Sj9x3X5xgOg3qqzIsCa3OSS1kyC2HmdiL tfu6x22lpS8yj6ytaRIShnyFUM82dNmqnogm2rWJ5AtunYw/9IXVxGt/pw5Wvj3jzs7nVCkt9yU CbEOHk7uQaegK5u2GEtZ8JLew15NAN9Op3d571JJlMEoRqaVjhzlu9cLbA6i7leip8P5tulb5mQ 0gOx0fL7aA5f4VxCv7F/rcUi9BysrBOxNUxpLkv5AgGIlKsfJFdAApSX3oCOWANE9i1fMiyw4mg LWVNSjkx0QEv3RL4Pudj6eKuM2tQNu6xvcYXCMELNu/SoDB0LSuv5w9kQ= X-Received: by 2002:a05:6a00:2905:b0:838:5145:c1c5 with SMTP id d2e1a72fcca58-84210b3b262mr2263498b3a.21.1780051451262; Fri, 29 May 2026 03:44:11 -0700 (PDT) Received: from teatimelab.tailcd024.ts.net ([192.129.190.145]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8421bfec5cbsm335418b3a.41.2026.05.29.03.44.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 03:44:10 -0700 (PDT) From: Qi Tang To: fw@strlen.de Cc: jiayuan.chen@linux.dev, pablo@netfilter.org, netfilter-devel@vger.kernel.org, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, netdev@vger.kernel.org, dsahern@kernel.org, idosch@nvidia.com, horms@kernel.org, lyutoon@gmail.com, stable@vger.kernel.org, Qi Tang Subject: Re: [PATCH net] ipv4: validate ip_forward_options() option fields against skb tail Date: Fri, 29 May 2026 18:43:56 +0800 Message-ID: <20260529104356.911666-1-tpluszz77@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Florian Westphal wrote: > I'm not sure netfilter is the only facility that can munge data this > way nowadays. The plan is to disable arbitrary network header rewrites: > > https://lore.kernel.org/netfilter-devel/20260527121147.22076-1-fw@strlen.de/ Agreed, the source side is the better place for this on mainline. I went looking for other ways into the window between option compile (ip_rcv_options() in ip_rcv_finish_core, after PREROUTING) and ip_forward_options(), and only found nft_payload and nfqueue at the FORWARD hook. tc/cls-act run before compile (ingress) or after ip_forward_options (egress), BPF at the netfilter hook can't write the packet (base helpers only, no bpf_skb_store_bytes), and the LWT_IN BPF path is blocked by the verifier. So your two-part restriction closes the only in-tree triggers I could find. This is just one consumer of the pattern; __ip_options_echo(), ipmr_cache_report() and the CIPSO/CALIPSO netlbl_skbuff_getattr() path are the same, posted as a series here: https://lore.kernel.org/netdev/20260524041442.2432071-1-tpluszz77@gmail.com/ so if the source-side restriction is the way to go it probably makes more sense to drop these consumer-side checks than to fix each site. Your call. Thanks, Qi