| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ccb00a3e-4f73-4354-a94a-920d7b29c9df@compton.nu>
Date: Tue, 6 Aug 2024 12:38:25 +0100
From: Tom Hughes <tom@...pton.nu>
To: Florian Westphal <fw@...len.de>
Cc: pablo@...filter.org, kadlec@...filter.org,
netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH] netfilter: allow ipv6 fragments to arrive on different
devices
On 06/08/2024 12:28, Florian Westphal wrote:
> Tom Hughes <tom@...pton.nu> wrote:
>> Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
>> for multicast and link-local packets") modified the ipv6 fragment
>> reassembly logic to distinguish frag queues by device for multicast
>> and link-local packets but in fact only the main reassembly code
>> limits the use of the device to those address types and the netfilter
>> reassembly code uses the device for all packets.
>>
>> This means that if fragments of a packet arrive on different interfaces
>> then netfilter will fail to reassemble them and the fragments will be
>> expired without going any further through the filters.
>>
>> Signed-off-by: Tom Hughes <tom@...pton.nu>
>
> Probably:
> Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
>
> ?
>
> Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex
> for types other than mcast/linklocal.
Ah yes... I had found that change and knew it changed how the main
reassembly code implemented the exception but hadn't realised that
before that netfilter shared the comparison routine.
I'll update the patch to add that.
Tom
--
Tom Hughes (tom@...pton.nu)
http://compton.nu/
Powered by blists - more mailing lists