| Message ID | 20240806105751.3291225-1-tom@compton.nu (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | netfilter: allow ipv6 fragments to arrive on different devices | expand |
Tom Hughes <tom@compton.nu> wrote: > Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device > for multicast and link-local packets") modified the ipv6 fragment > reassembly logic to distinguish frag queues by device for multicast > and link-local packets but in fact only the main reassembly code > limits the use of the device to those address types and the netfilter > reassembly code uses the device for all packets. > > This means that if fragments of a packet arrive on different interfaces > then netfilter will fail to reassemble them and the fragments will be > expired without going any further through the filters. > > Signed-off-by: Tom Hughes <tom@compton.nu> Probably: Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units") ? Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex for types other than mcast/linklocal.
On 06/08/2024 12:28, Florian Westphal wrote: > Tom Hughes <tom@compton.nu> wrote: >> Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device >> for multicast and link-local packets") modified the ipv6 fragment >> reassembly logic to distinguish frag queues by device for multicast >> and link-local packets but in fact only the main reassembly code >> limits the use of the device to those address types and the netfilter >> reassembly code uses the device for all packets. >> >> This means that if fragments of a packet arrive on different interfaces >> then netfilter will fail to reassemble them and the fragments will be >> expired without going any further through the filters. >> >> Signed-off-by: Tom Hughes <tom@compton.nu> > > Probably: > Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units") > > ? > > Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex > for types other than mcast/linklocal. Ah yes... I had found that change and knew it changed how the main reassembly code implemented the exception but hadn't realised that before that netfilter shared the comparison routine. I'll update the patch to add that. Tom
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 6f0844c9315d..4120e67a8ce6 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -154,6 +154,10 @@ static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user, }; struct inet_frag_queue *q; + if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST | + IPV6_ADDR_LINKLOCAL))) + key.iif = 0; + q = inet_frag_find(nf_frag->fqdir, &key); if (!q) return NULL;
Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device for multicast and link-local packets") modified the ipv6 fragment reassembly logic to distinguish frag queues by device for multicast and link-local packets but in fact only the main reassembly code limits the use of the device to those address types and the netfilter reassembly code uses the device for all packets. This means that if fragments of a packet arrive on different interfaces then netfilter will fail to reassemble them and the fragments will be expired without going any further through the filters. Signed-off-by: Tom Hughes <tom@compton.nu> --- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++++ 1 file changed, 4 insertions(+)