Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1678497pxu; Sun, 6 Dec 2020 03:47:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJzIptT6VwKkIygJJeOqPJRAX/OFewmVqo1FuGWliMkl8MFnbr5Gq6Y+UmBLawX9a5/vdHXd X-Received: by 2002:a17:906:7c49:: with SMTP id g9mr9565477ejp.185.1607255243769; Sun, 06 Dec 2020 03:47:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607255243; cv=none; d=google.com; s=arc-20160816; b=HQBZUd8K/43UNsBgmu0b8OydB/kKCF5vXMSINQKUAQlZ/CepUM/S279WCNnp1cMB0a PKqHymRSicZmM8mMPq0xE81rZ5FJzfN4kb+KzYBXY1QEe0ElWqNC79rh8LrZTX4XwNBf XyN/RISLrj/me0cw+QyVeriFk/dknOXkg9dFS7qDXOOwwYur0gxRwlJ2eS7WO8wuUQoD NjSGyV/6nM6HXBtogjDmNnM7UbYTy3ADa58eUlIoTXS/alg11gmml8PbNK/x1Pu7h4cz blts66s4ZaAHPOwPmKocaTjx585ulSLMLHteAPVxB9mmCKfBIulHupQR7W6ZcWWhjbW0 RIxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=znzI5ZAC6V8JsXXnZL3GEZw6Y9onlINSPCArly1Qfuo=; b=SVyE6Q32Evwqw+BYHzTjMyCEI7CQkU0a6oWy4ZQBsVF+ww1+mLeZFKkK19GuuOuovC lQCPRb0foGIrTMlAdt50rXqeqFlI1/hqR43zUTYReHn7tcT91ISgMLeBar+r5Im71/u0 Ri5cv6mbKQIWhrng9xUJWOLn3TR4E5u5sgPSl2Rnc5yF9h2BPyMMT+84ichu2hMi1IAj 9dobPSkCY2FqfGdFuHZxxZTqhem142TEVOGzVSGKUsa6F+YVF14q1uayZcFJw214mc6D OHG7bhQpzeBRXZ9A6hpyH/Q+syu9VdOyY5G4YqG5t9doLfjTs0R05dMhm4x/bp2LthtR 6kGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y23si4742622ejr.725.2020.12.06.03.47.00; Sun, 06 Dec 2020 03:47:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728922AbgLFLpa (ORCPT + 99 others); Sun, 6 Dec 2020 06:45:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:45264 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728001AbgLFLp1 (ORCPT ); Sun, 6 Dec 2020 06:45:27 -0500 From: Greg Kroah-Hartman Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Antoine Tenart , Florian Westphal , Jakub Kicinski Subject: [PATCH 5.9 16/46] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Date: Sun, 6 Dec 2020 12:17:24 +0100 Message-Id: <20201206111557.249275111@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201206111556.455533723@linuxfoundation.org> References: <20201206111556.455533723@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antoine Tenart [ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ] Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the hooks as, while it's an expected value for a bridge, routing expects PACKET_HOST. The change is undone later on after hook traversal. This can be seen with pairs of functions updating skb>pkt_type and then reverting it to its original value: For hook NF_INET_PRE_ROUTING: setup_pre_routing / br_nf_pre_routing_finish For hook NF_INET_FORWARD: br_nf_forward_ip / br_nf_forward_finish But the third case where netfilter does this, for hook NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing but never reverted. A comment says: /* We assume any code from br_dev_queue_push_xmit onwards doesn't care * about the value of skb->pkt_type. */ But when having a tunnel (say vxlan) attached to a bridge we have the following call trace: br_nf_pre_routing br_nf_pre_routing_ipv6 br_nf_pre_routing_finish br_nf_forward_ip br_nf_forward_finish br_nf_post_routing <- pkt_type is updated to PACKET_HOST br_nf_dev_queue_xmit <- but not reverted to its original value vxlan_xmit vxlan_xmit_one skb_tunnel_check_pmtu <- a check on pkt_type is performed In this specific case, this creates issues such as when an ICMPv6 PTB should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST and returns early). If the comment is right and no one cares about the value of skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting it to its original value should be safe. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Antoine Tenart Reviewed-by: Florian Westphal Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_netfilter_hooks.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -735,6 +735,11 @@ static int br_nf_dev_queue_xmit(struct n mtu_reserved = nf_bridge_mtu_reduction(skb); mtu = skb->dev->mtu; + if (nf_bridge->pkt_otherhost) { + skb->pkt_type = PACKET_OTHERHOST; + nf_bridge->pkt_otherhost = false; + } + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) mtu = nf_bridge->frag_max_size; @@ -835,8 +840,6 @@ static unsigned int br_nf_post_routing(v else return NF_ACCEPT; - /* We assume any code from br_dev_queue_push_xmit onwards doesn't care - * about the value of skb->pkt_type. */ if (skb->pkt_type == PACKET_OTHERHOST) { skb->pkt_type = PACKET_HOST; nf_bridge->pkt_otherhost = true;