diff options
| author | Fernando Fernandez Mancera <fmancera@suse.de> | 2026-04-28 13:25:48 +0300 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2026-04-30 18:59:01 +0300 |
| commit | 952e121c96137c73bd3e59bb20a93ef659376947 (patch) | |
| tree | 04d80a5fa5f620d24ab8fea1a22401beb94c0855 /include | |
| parent | 009d203e56dbe8db2589455b9e3644955f30313a (diff) | |
| download | linux-952e121c96137c73bd3e59bb20a93ef659376947.tar.xz | |
netfilter: xtables: fix L4 header parsing for non-first fragments
Multiple targets and matches relies on L4 header to operate. For
fragmented packets, every fragment carries the transport protocol
identifier, but only the first fragment contains the L4 header.
As the 'raw' table can be configured to run at priority -450 (before
defragmentation at -400), the target/match can be reached before
reassembly. In this case, non-first fragments have their payload
incorrectly parsed as a TCP/UDP header. This would be of course a
misconfiguration scenario. In most of the cases this just lead to a
unreliable behavior for fragmented traffic.
Add a fragment check to ensure target/match only evaluates unfragmented
packets or the first fragment in the stream.
Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions