Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets

To: 1002706@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
From: Steffen Weinreich <steve@weinreich.org>
Date: Thu, 27 Jan 2022 18:26:10 +0100
Message-id: <[🔎] f703f413-bb1d-d925-9434-f8e76fbdb397@weinreich.org>
Reply-to: Steffen Weinreich <steve@weinreich.org>, 1002706@bugs.debian.org
In-reply-to: <[🔎] 0340be43-d0e7-ca49-ea8d-569c8da925c7@weinreich.org>
References: <Yc8H9sHapPLHKWXV@salvia> <c419f813-8073-2fb7-1988-ffd38867caaa@weinreich.org> <[🔎] bb54b6a3-7332-29a9-0c3f-0fac84aa9ab1@weinreich.org> <[🔎] YdR2SWh5zbGlP1vb@eldamar.lan> <[🔎] f8e22a8d-8080-1a1c-e2e0-2fc556066ed8@weinreich.org> <[🔎] YdR9UrxgCrmCY+wK@eldamar.lan> <[🔎] 0340be43-d0e7-ca49-ea8d-569c8da925c7@weinreich.org> <c419f813-8073-2fb7-1988-ffd38867caaa@weinreich.org>

Hi all,

The patch made its way to mainline / latest

Any chance to get it backported to 4.19?


> From: Pablo Neira Ayuso <pablo@netfilter.org>
>
> [ Upstream commit 4e1860a3863707e8177329c006d10f9e37e097a8 ]
>
> IP fragments do not come with the transport header, hence skip bogus
> layer 4 checksum updates.
>
> Fixes: 1814096980bb ("netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields")
> Reported-and-tested-by: Steffen Weinreich <steve@weinreich.org>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  net/netfilter/nft_payload.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
> index a44b14f6c0dc0..132875cd7fff2 100644
> --- a/net/netfilter/nft_payload.c
> +++ b/net/netfilter/nft_payload.c
> @@ -502,6 +502,9 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
>  				     struct sk_buff *skb,
>  				     unsigned int *l4csum_offset)
>  {
> +	if (pkt->fragoff)
> +		return -1;
> +
>  	switch (pkt->tprot) {
>  	case IPPROTO_TCP:
>  		*l4csum_offset = offsetof(struct tcphdr, check);
> -- 2.34.1

Reply to:

Follow-Ups:
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Steffen Weinreich <steve@weinreich.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Steffen Weinreich <steve@weinreich.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Steffen Weinreich <steve@weinreich.org>

Prev by Date: Bug#1004426: Acknowledgement (linux-image-5.10.0-10-amd64: webcam Live! Cam Sync HD VF0770 unusable after updating to linux-image-5.10.0-10)
Next by Date: Re: systemd bogus(?) remounts since upgrade to 249.5-1
Previous by thread: Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
Next by thread: Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
Index(es):
- Date
- Thread