Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets

To: Florian Westphal <fw@strlen.de>, Salvatore Bonaccorso <carnil@debian.org>
Cc: 1002706@bugs.debian.org, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
From: Steffen Weinreich <steve@weinreich.org>
Date: Fri, 28 Jan 2022 09:14:50 +0100
Message-id: <[🔎] ea0f3b47-9565-8e3a-aa24-98a44ad5c217@weinreich.org>
Reply-to: Steffen Weinreich <steve@weinreich.org>, 1002706@bugs.debian.org
In-reply-to: <[🔎] 20220127215902.GD25922@breakpoint.cc>
References: <Yc8H9sHapPLHKWXV@salvia> <c419f813-8073-2fb7-1988-ffd38867caaa@weinreich.org> <[🔎] bb54b6a3-7332-29a9-0c3f-0fac84aa9ab1@weinreich.org> <[🔎] YdR2SWh5zbGlP1vb@eldamar.lan> <[🔎] f8e22a8d-8080-1a1c-e2e0-2fc556066ed8@weinreich.org> <[🔎] YdR9UrxgCrmCY+wK@eldamar.lan> <[🔎] 0340be43-d0e7-ca49-ea8d-569c8da925c7@weinreich.org> <[🔎] f703f413-bb1d-d925-9434-f8e76fbdb397@weinreich.org> <YfMM30/cvGxtDxp5@eldamar.lan> <[🔎] 20220127215902.GD25922@breakpoint.cc> <c419f813-8073-2fb7-1988-ffd38867caaa@weinreich.org>

Hi all,

The following Patch on top of a  4.19.208 is working in our test system
since Jan 5.

cheerio

Steve

Am 27.01.22 um 22:59 schrieb Florian Westphal:
> Salvatore Bonaccorso <carnil@debian.org> wrote:
>> Hi,
>>
>> On Thu, Jan 27, 2022 at 06:26:10PM +0100, Steffen Weinreich wrote:
>>> Hi all,
>>>
>>> The patch made its way to mainline / latest
>>>
>>> Any chance to get it backported to 4.19?
>> It would be need to have a backport sent stable@vger.kernel.org . Once
>> it lands in the older stable series, we can include it as well
>> downstream in Debian. What does Pablo say on the backport for the
>> older series? I see it has been applied to 5.15.17 and 5.16.3, but is
>> not yet queued for older series.
> Thats because the patch won't compile as-is on those older kernels,
> it needs a minor change.  I can try to do it tomorrow and send it to
> stable.

--- linux-source-4.19/net/netfilter/nft_payload.c.orig	2021-09-26 11:39:49.000000000 +0000
+++ linux-source-4.19/net/netfilter/nft_payload.c	2022-01-04 18:53:04.888219213 +0000
@@ -194,6 +194,9 @@
 				     struct sk_buff *skb,
 				     unsigned int *l4csum_offset)
 {
+	if (pkt->xt.fragoff)
+		return -1;
+
 	switch (pkt->tprot) {
 	case IPPROTO_TCP:
 		*l4csum_offset = offsetof(struct tcphdr, check);

Reply to:

References:
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Steffen Weinreich <steve@weinreich.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Steffen Weinreich <steve@weinreich.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Steffen Weinreich <steve@weinreich.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Steffen Weinreich <steve@weinreich.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
  - From: Florian Westphal <fw@strlen.de>

Prev by Date: Bug#1004465: libklibc-dev: headers not installed
Next by Date: kernel 5.16.3
Previous by thread: Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets
Next by thread: Processing of linux-signed-amd64_5.16~rc8+1~exp1_source.changes
Index(es):
- Date
- Thread