git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Tue, 28 Apr 2026 10:25:48 +0000 (12:25 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 30 Apr 2026 15:59:01 +0000 (17:59 +0200)
commit	952e121c96137c73bd3e59bb20a93ef659376947
tree	04d80a5fa5f620d24ab8fea1a22401beb94c0855	tree \| snapshot
parent	009d203e56dbe8db2589455b9e3644955f30313a	commit \| diff

netfilter: xtables: fix L4 header parsing for non-first fragments

Multiple targets and matches relies on L4 header to operate. For
fragmented packets, every fragment carries the transport protocol
identifier, but only the first fragment contains the L4 header.

As the 'raw' table can be configured to run at priority -450 (before
defragmentation at -400), the target/match can be reached before
reassembly. In this case, non-first fragments have their payload
incorrectly parsed as a TCP/UDP header. This would be of course a
misconfiguration scenario. In most of the cases this just lead to a
unreliable behavior for fragmented traffic.

Add a fragment check to ensure target/match only evaluates unfragmented
packets or the first fragment in the stream.

Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/xt_TPROXY.c		diff \| blob \| blame \| history
net/netfilter/xt_ecn.c		diff \| blob \| blame \| history
net/netfilter/xt_hashlimit.c		diff \| blob \| blame \| history
net/netfilter/xt_osf.c		diff \| blob \| blame \| history
net/netfilter/xt_tcpmss.c		diff \| blob \| blame \| history