Commit 71212c9b authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport

This is overly conservative and not flexible at all, so better let them
go through and let the filtering policy decide what to do with them. We
use skb_header_pointer() all over the place so we would just fail to
match when trying to access fields from malformed traffic.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 10151d7b
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
#include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ipv6.h> #include <net/ipv6.h>
static inline int static inline void
nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt, nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
struct sk_buff *skb, struct sk_buff *skb,
const struct nf_hook_state *state) const struct nf_hook_state *state)
...@@ -17,15 +17,13 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt, ...@@ -17,15 +17,13 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL); protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);
if (protohdr < 0) { if (protohdr < 0) {
nft_set_pktinfo_proto_unspec(pkt, skb); nft_set_pktinfo_proto_unspec(pkt, skb);
return -1; return;
} }
pkt->tprot_set = true; pkt->tprot_set = true;
pkt->tprot = protohdr; pkt->tprot = protohdr;
pkt->xt.thoff = thoff; pkt->xt.thoff = thoff;
pkt->xt.fragoff = frag_off; pkt->xt.fragoff = frag_off;
return 0;
} }
static inline int static inline int
......
...@@ -22,9 +22,7 @@ static unsigned int nft_do_chain_ipv6(void *priv, ...@@ -22,9 +22,7 @@ static unsigned int nft_do_chain_ipv6(void *priv,
{ {
struct nft_pktinfo pkt; struct nft_pktinfo pkt;
/* malformed packet, drop it */ nft_set_pktinfo_ipv6(&pkt, skb, state);
if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
return NF_DROP;
return nft_do_chain(&pkt, priv); return nft_do_chain(&pkt, priv);
} }
......
...@@ -32,9 +32,7 @@ static unsigned int nf_route_table_hook(void *priv, ...@@ -32,9 +32,7 @@ static unsigned int nf_route_table_hook(void *priv,
u_int8_t hop_limit; u_int8_t hop_limit;
u32 mark, flowlabel; u32 mark, flowlabel;
/* malformed packet, drop it */ nft_set_pktinfo_ipv6(&pkt, skb, state);
if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
return NF_DROP;
/* save source/dest address, mark, hoplimit, flowlabel, priority */ /* save source/dest address, mark, hoplimit, flowlabel, priority */
memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr)); memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment