Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1682062pxu; Sun, 6 Dec 2020 03:56:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJwav+KuiPdoNRV3BBM4EbG+KgCMwG91ZzvqRaMdnJ6vW1YJtHc1bNeG0xXHVa0ixMWv//oK X-Received: by 2002:a17:906:4c55:: with SMTP id d21mr14902782ejw.116.1607255775305; Sun, 06 Dec 2020 03:56:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607255775; cv=none; d=google.com; s=arc-20160816; b=GrNKLJf5k2Uch/EJprfI9kq64eIOEfI0ibxtt03ZN0uOeRtm3M1DsMjwGU8y1NTXXR 1Z7d5kr3TflcYRXAPN+8C9HYEUlxszhIyQVStqxz4RVoeo/g/fcNhr3ECRFVi3iStxGp tlw7X2N26MWXFJB2sUF8IIBQmSjEnAYoE6pT2mAYgm/s3m2v0Z2wPFk5hO2PlNLlqFrs 5G9tpl6wip2X+DtEwPxrhDibjiNtP+e8MhBnWCJSmJmLXPU0D4cJRLPh3AVykPRZdObn BYATBYiHmssYYPAYw6Cvj8Oi5aASbkDo411uzyMEaiz4cbdQN8phLQ4Qta8CDg1gNfWh iiBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=pRsVzCTTZabOcHS6il0DER+EwoW0sgy/17WVSwnJkRE=; b=M0fFHTc10NzVIin8WVvKiC+l8+Pse7uwOFfN5qCkGAul3IqfI7tCL+30+yJ8u2st2W /CmqMdYnPKP7+iaw7Yf5M9sAAuh7CMV6s0ORvRVMHn7VlQPE3OgzjocrwSQ02yUt2ZgY ut0lRd1Va5lLUq75l8Lz6CUp1EIAKxr31oyV5t8TY8wHfsHkTG4e8er6FN3HHWEsttPw OGjXPDWbqnB9Mim9576D7tSgmr9dykRFdFDbJmcHRb2JdbOcPci+GdRy9Bi0or6oTVft dEmM9NeSzT+7302ACLUX8lOx+jSTiF/M0CJoWFDSPzOAbUsqqalMx88Ad0sLUf/jiuEi LMhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b5si5888826edw.587.2020.12.06.03.55.51; Sun, 06 Dec 2020 03:56:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728006AbgLFLj2 (ORCPT + 99 others); Sun, 6 Dec 2020 06:39:28 -0500 Received: from mail.kernel.org ([198.145.29.99]:36366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727953AbgLFLj1 (ORCPT ); Sun, 6 Dec 2020 06:39:27 -0500 From: Greg Kroah-Hartman Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Antoine Tenart , Florian Westphal , Jakub Kicinski Subject: [PATCH 4.14 08/20] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Date: Sun, 6 Dec 2020 12:17:11 +0100 Message-Id: <20201206111555.953900920@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201206111555.569713359@linuxfoundation.org> References: <20201206111555.569713359@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antoine Tenart [ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ] Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the hooks as, while it's an expected value for a bridge, routing expects PACKET_HOST. The change is undone later on after hook traversal. This can be seen with pairs of functions updating skb>pkt_type and then reverting it to its original value: For hook NF_INET_PRE_ROUTING: setup_pre_routing / br_nf_pre_routing_finish For hook NF_INET_FORWARD: br_nf_forward_ip / br_nf_forward_finish But the third case where netfilter does this, for hook NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing but never reverted. A comment says: /* We assume any code from br_dev_queue_push_xmit onwards doesn't care * about the value of skb->pkt_type. */ But when having a tunnel (say vxlan) attached to a bridge we have the following call trace: br_nf_pre_routing br_nf_pre_routing_ipv6 br_nf_pre_routing_finish br_nf_forward_ip br_nf_forward_finish br_nf_post_routing <- pkt_type is updated to PACKET_HOST br_nf_dev_queue_xmit <- but not reverted to its original value vxlan_xmit vxlan_xmit_one skb_tunnel_check_pmtu <- a check on pkt_type is performed In this specific case, this creates issues such as when an ICMPv6 PTB should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST and returns early). If the comment is right and no one cares about the value of skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting it to its original value should be safe. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Antoine Tenart Reviewed-by: Florian Westphal Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_netfilter_hooks.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -716,6 +716,11 @@ static int br_nf_dev_queue_xmit(struct n mtu_reserved = nf_bridge_mtu_reduction(skb); mtu = skb->dev->mtu; + if (nf_bridge->pkt_otherhost) { + skb->pkt_type = PACKET_OTHERHOST; + nf_bridge->pkt_otherhost = false; + } + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) mtu = nf_bridge->frag_max_size; @@ -809,8 +814,6 @@ static unsigned int br_nf_post_routing(v else return NF_ACCEPT; - /* We assume any code from br_dev_queue_push_xmit onwards doesn't care - * about the value of skb->pkt_type. */ if (skb->pkt_type == PACKET_OTHERHOST) { skb->pkt_type = PACKET_HOST; nf_bridge->pkt_otherhost = true;