Hi
The following patch did resolve the issue for me on 5.16.0-rc8. I
will also test it on 4.19.0-*-amd64 as soon as I have a working
build env for a buster kernel..
| Betreff: | Re: nftables stateless NAT in raw table mangles fragmented UDP packets |
|---|---|
| Datum: | Fri, 31 Dec 2021 14:39:02 +0100 |
| Von: | Pablo Neira Ayuso <pablo@netfilter.org> |
| An: | Steffen Weinreich <steve@weinreich.org> |
| Kopie (CC): | netfilter@vger.kernel.org |
Hi,
On Fri, Dec 31, 2021 at 01:02:13PM +0100, Steffen Weinreich wrote:
> Hi
> > We have using kernel 5.10 and nftables(0.9.8-3.1) from debian for a
> stateless NAT GW. We are using the nftables "raw" tables to replace
> statically source and destination addresses for pakets traversing the
> host with two nftables map, without any connection tracking. The bug is
> also reproducible in a Debian 5.16 kernel from experimental.
> > If fragmented UDP packets are traversing the gateway the second fragment
> gets modified at the location where in a non fragmented packet the UDP
> checksum would be located.
> > On the Sample below the packet content at 0x1a-0x1b was changes from
> 0x61 0x61 to 0xba 0x9e
Could you give a try to this kernel patch?
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index bd689938a2e0..58e96a0fe0b4 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -546,6 +546,9 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
struct sk_buff *skb,
unsigned int *l4csum_offset)
{
+ if (pkt->fragoff)
+ return -1;
+
switch (pkt->tprot) {
case IPPROTO_TCP:
*l4csum_offset = offsetof(struct tcphdr, check);