Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1676927pxu; Sun, 6 Dec 2020 03:43:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJx0D91i+tx0C1Fj1XGjyp3uaj51nfxf8EdLX8FSKxkZkr2QsWbeUUTKe/NxG8I/sAFmYZjW X-Received: by 2002:a17:906:298c:: with SMTP id x12mr887130eje.244.1607255024308; Sun, 06 Dec 2020 03:43:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607255024; cv=none; d=google.com; s=arc-20160816; b=g+42Pwku2f55+JlNGP5fbPFj4ln5ExlLyP7p+iowTsfmn5zh5+U+wXrkmgIlZdzALl UXl6dZbBG23cS4X0jzs+lqRUqRqhycfStqLt2wcQBaY3f+BKtgH/8suyj5NXqZr6LgJt X78/7UrbMccqcDVBrxjV0IN3t8efj5B0EW5tkWRmYvaGrgZ6ylV+MM0Gxkq+9KBxQuBx TP/3mHK/pJEa5NCN7kYMq3sovo46Irxkh+AOtpZ9MIx+Nb5ofScNPWx0UnIAeHVwt+zD T+BVI4rzG5DGxJhAPQ0UmwAxQxLjzEitX9CtuiRQCSsMCG/efqH463BhvmsAuZOoTaV6 VWgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=zfkxE1qQDzQHuIJbte3J18U7wgV0pzoGnxg3iJerReY=; b=hoez7UWHPBHYnoQCE5MCAcdUS38cm5S3d1pIwNC8RY3u8ScbpS60ydeYgykOPc2lnL CJcYnTUtwRDNJs32f7iy1xRRqtuGtIWBUhF9WwC/5MULuf3UjoQvdfRPTk1IWqY9BMoo X4+hPwcJMq+GLLvVjMW8AEO6EOU+Y6skh9D4FT+FCtbUrWfg6My/aNE75V5Q+CmK0yGS XBxASCloUTlsALrln9KalYEZMQ1B/qG4ErMiugEI0D7jeOKAMLoxAbiJa0gg3EhEEW/U 9V+hv4Wf0IXytR2Sh8WQ6FoXb+3/Ba1cPOpcHrdMFg8WHQYgCNIzZqzGhOBocmNwuUKG 96Jw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r17si4985637ejc.653.2020.12.06.03.43.21; Sun, 06 Dec 2020 03:43:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728309AbgLFLj5 (ORCPT + 99 others); Sun, 6 Dec 2020 06:39:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:36794 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728288AbgLFLj4 (ORCPT ); Sun, 6 Dec 2020 06:39:56 -0500 From: Greg Kroah-Hartman Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Antoine Tenart , Florian Westphal , Jakub Kicinski Subject: [PATCH 4.19 14/32] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Date: Sun, 6 Dec 2020 12:17:14 +0100 Message-Id: <20201206111556.448809404@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201206111555.787862631@linuxfoundation.org> References: <20201206111555.787862631@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antoine Tenart [ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ] Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the hooks as, while it's an expected value for a bridge, routing expects PACKET_HOST. The change is undone later on after hook traversal. This can be seen with pairs of functions updating skb>pkt_type and then reverting it to its original value: For hook NF_INET_PRE_ROUTING: setup_pre_routing / br_nf_pre_routing_finish For hook NF_INET_FORWARD: br_nf_forward_ip / br_nf_forward_finish But the third case where netfilter does this, for hook NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing but never reverted. A comment says: /* We assume any code from br_dev_queue_push_xmit onwards doesn't care * about the value of skb->pkt_type. */ But when having a tunnel (say vxlan) attached to a bridge we have the following call trace: br_nf_pre_routing br_nf_pre_routing_ipv6 br_nf_pre_routing_finish br_nf_forward_ip br_nf_forward_finish br_nf_post_routing <- pkt_type is updated to PACKET_HOST br_nf_dev_queue_xmit <- but not reverted to its original value vxlan_xmit vxlan_xmit_one skb_tunnel_check_pmtu <- a check on pkt_type is performed In this specific case, this creates issues such as when an ICMPv6 PTB should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST and returns early). If the comment is right and no one cares about the value of skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting it to its original value should be safe. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Antoine Tenart Reviewed-by: Florian Westphal Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_netfilter_hooks.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -719,6 +719,11 @@ static int br_nf_dev_queue_xmit(struct n mtu_reserved = nf_bridge_mtu_reduction(skb); mtu = skb->dev->mtu; + if (nf_bridge->pkt_otherhost) { + skb->pkt_type = PACKET_OTHERHOST; + nf_bridge->pkt_otherhost = false; + } + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) mtu = nf_bridge->frag_max_size; @@ -812,8 +817,6 @@ static unsigned int br_nf_post_routing(v else return NF_ACCEPT; - /* We assume any code from br_dev_queue_push_xmit onwards doesn't care - * about the value of skb->pkt_type. */ if (skb->pkt_type == PACKET_OTHERHOST) { skb->pkt_type = PACKET_HOST; nf_bridge->pkt_otherhost = true;