Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets

Steffen Weinreich Thu, 27 Jan 2022 09:27:29 -0800

Hi all,

The patch made its way to mainline / latest


Any chance to get it backported to 4.19?


> From: Pablo Neira Ayuso <pa...@netfilter.org>
>
> [ Upstream commit 4e1860a3863707e8177329c006d10f9e37e097a8 ]
>
> IP fragments do not come with the transport header, hence skip bogus
> layer 4 checksum updates.
>
> Fixes: 1814096980bb ("netfilter: nft_payload: layer 4 checksum adjustment for 
> pseudoheader fields")
> Reported-and-tested-by: Steffen Weinreich <st...@weinreich.org>
> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
> Signed-off-by: Sasha Levin <sas...@kernel.org>
> ---
>  net/netfilter/nft_payload.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
> index a44b14f6c0dc0..132875cd7fff2 100644
> --- a/net/netfilter/nft_payload.c
> +++ b/net/netfilter/nft_payload.c
> @@ -502,6 +502,9 @@ static int nft_payload_l4csum_offset(const struct 
> nft_pktinfo *pkt,
>                                    struct sk_buff *skb,
>                                    unsigned int *l4csum_offset)
>  {
> +     if (pkt->fragoff)
> +             return -1;
> +
>       switch (pkt->tprot) {
>       case IPPROTO_TCP:
>               *l4csum_offset = offsetof(struct tcphdr, check);
> -- 2.34.1

Bug#1002706: Fwd: nftables stateless NAT in raw table mangles fragmented UDP packets

Reply via email to