git.ipfire.org Git - thirdparty/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Sat, 16 May 2026 15:23:21 +0000 (23:23 +0800)
committer	Florian Westphal <fw@strlen.de>
	Fri, 22 May 2026 10:28:46 +0000 (12:28 +0200)
commit	968cc2c96390f06e56ed6a43f935bfebdefed28f
tree	7deb736a22c509d5e560980b5f47b63d871e18fd	tree \| snapshot
parent	c376f07e16c02239ed44cabb97145d03f65b4d15	commit \| diff

netfilter: disable payload mangling in userns

Several parts of network stack rely on iph->ihl validation
done by network stack before PRE_ROUTING.

Disable this feature for user namespaces for now.

tcp option handling is likely safe even for LOCAL_IN, so this
this leaves tcp option mangling via nft_exthdr.c as-is.

I don't think these are the only means to alter packets, but these
appear to be relatively prominent.

This could be relaxed later. Example:
- allow userns for ingress hook.
- allow userns if base is transport header.

Also, we should revalidate or restrict generally:
- Don't allow linklayer writes to spill into network header
- restrict ipv4 and ipv6 to 'known safe' writes, e.g.
saddr/daddr/check/tos

Reported-by: Qi Tang <tpluszz77@gmail.com>
Reported-by: Tong Liu <lyutoon@gmail.com>
Tested-by: Qi Tang <tpluszz77@gmail.com>
Link: https://lore.kernel.org/netfilter-devel/20260515100411.3141-1-fw@strlen.de/
Signed-off-by: Florian Westphal <fw@strlen.de>

net/netfilter/nfnetlink_queue.c		diff \| blob \| blame \| history
net/netfilter/nft_payload.c		diff \| blob \| blame \| history