git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Tue, 28 Apr 2026 10:25:46 +0000 (12:25 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 30 Apr 2026 15:59:01 +0000 (17:59 +0200)
commit	0bf00859d7a5ab685901c36f29df063b825cfaaa
tree	442d3a449e36c669dcb2ed49d94481313f6e6321	tree \| snapshot
parent	63bac027860308d1344f761cb47aabb3b30973fd	commit \| diff

netfilter: nf_socket: skip socket lookup for non-first fragments

Both nft_socket and xt_socket relies on L4 headers to perform socket
lookup in the slow path. For fragmented packets, while the IP protocol
remains constant across all fragments, only the first fragment contains
the actual L4 header.

As the expression/match could be attached to a chain with a priority
lower than -400, it could bypass defragmentation.

Add a check for fragmentation in the lookup functions directly so the
problem is handled for both nft_socket and xt_socket at the same time.
In addition, future users of the functions would not need to care about
this.

Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/nf_socket_ipv4.c		diff \| blob \| blame \| history
net/ipv6/netfilter/nf_socket_ipv6.c		diff \| blob \| blame \| history