lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ccb00a3e-4f73-4354-a94a-920d7b29c9df@compton.nu>
Date: Tue, 6 Aug 2024 12:38:25 +0100
From: Tom Hughes <tom@...pton.nu>
To: Florian Westphal <fw@...len.de>
Cc: pablo@...filter.org, kadlec@...filter.org,
 netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH] netfilter: allow ipv6 fragments to arrive on different
 devices

On 06/08/2024 12:28, Florian Westphal wrote:
> Tom Hughes <tom@...pton.nu> wrote:
>> Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
>> for multicast and link-local packets") modified the ipv6 fragment
>> reassembly logic to distinguish frag queues by device for multicast
>> and link-local packets but in fact only the main reassembly code
>> limits the use of the device to those address types and the netfilter
>> reassembly code uses the device for all packets.
>>
>> This means that if fragments of a packet arrive on different interfaces
>> then netfilter will fail to reassemble them and the fragments will be
>> expired without going any further through the filters.
>>
>> Signed-off-by: Tom Hughes <tom@...pton.nu>
> 
> Probably:
> Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
> 
> ?
> 
> Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex
> for types other than mcast/linklocal.

Ah yes... I had found that change and knew it changed how the main
reassembly code implemented the exception but hadn't realised that
before that netfilter shared the comparison routine.

I'll update the patch to add that.

Tom

-- 
Tom Hughes (tom@...pton.nu)
http://compton.nu/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ