mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 23:25:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Pablo Neira Ayuso 0ae8e4cca7 netfilter: nf_tables: set transport offset from mac header for netdev/egress 
Before this patch, transport offset (pkt->thoff) provides an offset
relative to the network header. This is fine for the inet families
because skb->data points to the network header in such case. However,
from netdev/egress, skb->data points to the mac header (if available),
thus, pkt->thoff is missing the mac header length.

Add skb_network_offset() to the transport offset (pkt->thoff) for
netdev, so transport header mangling works as expected. Adjust payload
fast eval function to use skb->data now that pkt->thoff provides an
absolute offset. This explains why users report that matching on
egress/netdev works but payload mangling does not.

This patch implicitly fixes payload mangling for IPv4 packets in
netdev/egress given skb_store_bits() requires an offset from skb->data
to reach the transport header.

I suspect that nft_exthdr and the trace infra were also broken from
netdev/egress because they also take skb->data as start, and pkt->thoff
was not correct.

Note that IPv6 is fine because ipv6_find_hdr() already provides a
transport offset starting from skb->data, which includes
skb_network_offset().

The bridge family also uses nft_set_pktinfo_ipv4_validate(), but there
skb_network_offset() is zero, so the update in this patch does not alter
the existing behaviour.

Fixes: 42df6e1d22 ("netfilter: Introduce egress hook")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2023-12-20 10:43:21 +01:00
..
6lowpan
9p 9p/net: fix possible memory leak in p9_check_errors() 2023-10-27 12:44:13 +09:00
802 net: fill in MODULE_DESCRIPTION()s under net/802* 2023-10-28 11:29:28 +01:00
8021q net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() 2023-12-19 13:13:56 +01:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-14 12:02:45 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2023-12-12 13:14:08 +01:00
ax25
batman-adv
bluetooth This update includes the following changes: 2023-11-02 16:15:30 -10:00
bpf bpf: Add __bpf_kfunc_{start,end}_defs macros 2023-11-01 22:33:53 -07:00
bpfilter
bridge netfilter: nf_conntrack_bridge: initialize err to 0 2023-11-14 16:16:21 +01:00
caif
can
ceph This update includes the following changes: 2023-11-02 16:15:30 -10:00
core net: Return error from sk_stream_wait_connect() if sk_wait_event() fails 2023-12-15 10:48:51 +00:00
dcb
dccp dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2023-11-02 12:56:03 +01:00
devlink netlink: specs: devlink: add forgotten port function caps enum values 2023-11-01 22:13:43 -07:00
dns_resolver
dsa
ethernet
ethtool ethtool: don't propagate EOPNOTSUPP from dumps 2023-11-29 08:43:27 -08:00
handshake Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-26 13:46:28 -07:00
hsr hsr: Prevent use after free in prp_create_tagged_frame() 2023-11-01 22:26:04 -07:00
ieee802154
ife net: sched: ife: fix potential use-after-free 2023-12-15 10:50:18 +00:00
ipv4 Revert "tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set" 2023-12-13 10:58:54 -08:00
ipv6 net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX 2023-12-08 10:40:51 +00:00
iucv
kcm net: kcm: fill in MODULE_DESCRIPTION() 2023-11-08 18:17:44 -08:00
key
l2tp
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-01 22:21:32 -07:00
mac80211 wifi: mac80211: mesh_plink: fix matches_local logic 2023-12-12 10:14:57 +01:00
mac802154
mctp
mpls
mptcp mptcp: fill in missing MODULE_DESCRIPTION() 2023-12-17 20:54:22 +00:00
ncsi Revert ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-11-15 09:59:44 +00:00
netfilter netfilter: nf_tables: set transport offset from mac header for netdev/egress 2023-12-20 10:43:21 +01:00
netlabel
netlink drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group 2023-12-07 09:54:02 -08:00
netrom
nfc
nsh
openvswitch net/sched: act_ct: Always fill offloading tuple iifidx 2023-11-08 17:47:08 -08:00
packet packet: Move reference count in packet_sock to atomic_long_t 2023-12-04 14:45:04 -08:00
phonet
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-07 09:54:02 -08:00
qrtr
rds
rfkill net: rfkill: gpio: set GPIO direction 2023-12-12 10:14:57 +01:00
rose net/rose: fix races in rose_kill_by_device() 2023-12-15 11:59:53 +00:00
rxrpc rxrpc: Defer the response to a PING ACK until we've parsed it 2023-11-17 02:50:33 +00:00
sched net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table 2023-12-11 09:59:58 +00:00
sctp net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
smc net/smc: fix missing byte order conversion in CLC handshake 2023-12-07 10:10:56 -08:00
strparser
sunrpc NFS client updates for Linux 6.7 2023-11-08 13:39:16 -08:00
switchdev
tipc net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
tls net: tls, update curr on splice as well 2023-12-07 09:52:28 -08:00
unix bpf, sockmap: af_unix stream sockets need to hold ref for pair sock 2023-11-30 00:25:16 +01:00
vmw_vsock vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() 2023-12-13 17:59:08 -08:00
wireless wifi: cfg80211: fix certs build to not depend on file order 2023-12-14 09:11:51 +01:00
x25
xdp xsk: Skip polling event check for unbound socket 2023-12-05 13:43:43 +01:00
xfrm Including fixes from netfilter and bpf. 2023-11-09 17:09:35 -08:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c bpf: Add __bpf_hook_{start,end} macros 2023-11-01 22:33:53 -07:00
sysctl_net.c