git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Tue, 28 Apr 2026 10:25:47 +0000 (12:25 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 30 Apr 2026 15:59:01 +0000 (17:59 +0200)
commit	009d203e56dbe8db2589455b9e3644955f30313a
tree	3e0e476aef1df78e6f394c36be1b6e3f09066b3c	tree \| snapshot
parent	0bf00859d7a5ab685901c36f29df063b825cfaaa	commit \| diff

netfilter: nf_tables: skip L4 header parsing for non-first fragments

The tproxy, osf and exthdr (SCTP) expressions rely on the presence of
transport layer headers to perform socket lookups, fingerprint matching,
or chunk extraction. For fragmented packets, while the IP protocol
remains constant across all fragments, only the first fragment contains
the actual L4 header.

The expressions could be attached to a chain with a priority lower than
-400, bypassing defragmentation. Or could be used in stateless
environments where defragmentation is not happening at all. This could
result in garbage data being used for the matching.

Add a check for pkt->fragoff so only unfragmented packets or the first
fragment is processed.

Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_tables_core.c		diff \| blob \| blame \| history
net/netfilter/nft_exthdr.c		diff \| blob \| blame \| history
net/netfilter/nft_osf.c		diff \| blob \| blame \| history
net/netfilter/nft_tproxy.c		diff \| blob \| blame \| history