lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190620104804.cbbodvw2llnt6qcl@salvia>
Date:   Thu, 20 Jun 2019 12:48:04 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     wenxu@...oud.cn
Cc:     fw@...len.de, netfilter-devel@...r.kernel.org,
        netdev@...r.kernel.org
Subject: Re: [PATCH nf-next] netfilter: bridge: Fix non-untagged fragment
 packet

On Wed, Jun 19, 2019 at 10:35:07PM +0800, wenxu@...oud.cn wrote:
[...]
> So if the first fragment packet don't contain vlan tag, all of the
> remain should not contain vlan tag..

If I understand correctly, the problem is this:

* First fragment comes with no vlan tag.
* Second fragment comes with vlan tag.

If you have a vlan setup, you have to use ct zone to map the vlan id
to the corresponding ct zone.

nf_ct_br_defrag4() calls:

        err = ip_defrag(state->net, skb,
                                IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone_id);

if ct zones are used, first fragment will go to defrag queue
IP_DEFRAG_CONNTRACK_BRIDGE_IN + 0, while second fragment will go to
IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone_id.

So they will go to different defrag queues.

> Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
> Signed-off-by: wenxu <wenxu@...oud.cn>
> ---
>  net/bridge/netfilter/nf_conntrack_bridge.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
> index b675cd7..4f5444d 100644
> --- a/net/bridge/netfilter/nf_conntrack_bridge.c
> +++ b/net/bridge/netfilter/nf_conntrack_bridge.c
> @@ -331,6 +331,8 @@ static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
>  	}
>  	if (data->vlan_present)
>  		__vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
> +	else if (skb_vlan_tag_present(skb))
> +		__vlan_hwaccel_clear_tag(skb);
>  
>  	skb_copy_to_linear_data_offset(skb, -ETH_HLEN, data->mac, ETH_HLEN);
>  	skb_reset_mac_header(skb);
> -- 
> 1.8.3.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ