Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp5049911pxu; Thu, 10 Dec 2020 11:36:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJxA12JfiKQRpCnjbYUF8qDo/bk3uTWeMnqP/juL0LzOH9ccnJeGI9rqajTFwphDk0Hscevq X-Received: by 2002:a17:906:391b:: with SMTP id f27mr7639320eje.195.1607628982242; Thu, 10 Dec 2020 11:36:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607628982; cv=none; d=google.com; s=arc-20160816; b=sKD0+Cx7kHHx1PfBel1jtw5RkkmAWrdh6BaWPZs6HFWop3tayDTZk84yrq4lDdW5BH 6K7TQaK+erpaPR4S/valPL4cLleQzOuLsQ/E2X9miebzFMwf8JuMTHCG+0OZGAtH3nwt fjyQFlio+/xNnXOfXsnE1h7EYlEUVFNA3X4Bp6WDgU7M8IpNTJIZ5wJnoOzhJZKvPYLi cYZvuFtBlSChXEnSm4qnIWY/VX0XJEywmxmj4fCk3JPLysWkVQAt3pRxfEEP7yCU9Eu1 jnSWgFvR8DhtvWcG4pE0kS/nx8E+c8YYcimogMg1uopU60NwnQpKBXYp+TX2+A0fXAjw 9new== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=pRsVzCTTZabOcHS6il0DER+EwoW0sgy/17WVSwnJkRE=; b=Ig90ta+GiYj4Qs/R3zn5/63Zor1kjb5vDzRnC3N+gT2qC6b0cvQ1Cmv9aoHNsdj7rB lYqmctkoNUl7Uf45lZt5RkLY/LOkqrMaMMVaP78foQURPLG6/UTYfSqLf3/GdKFJ2m8B xurDJc8UVHFaHoQlUs6/H2egg1VqMj3lMkEKsAjqnFMpY5ryFiI0sdwoabf06TpP2+E5 4nYU2X5aU0OeYZmk/wTD/KIiEqpH2fHS7zIsgJ5t1zRiYOvlqH0pWNKensdSvun60RWK 1SBJY/2+lUd2s+HaNwOgpRp5hbaUQSij1HX2YB0aqfC4MbOU7lTwXRyj7UPMFkA06Okv Donw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d1si3406090edy.296.2020.12.10.11.35.59; Thu, 10 Dec 2020 11:36:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393348AbgLJTcN (ORCPT + 99 others); Thu, 10 Dec 2020 14:32:13 -0500 Received: from mail.kernel.org ([198.145.29.99]:37812 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388428AbgLJO3x (ORCPT ); Thu, 10 Dec 2020 09:29:53 -0500 From: Greg Kroah-Hartman Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Antoine Tenart , Florian Westphal , Jakub Kicinski Subject: [PATCH 4.9 05/45] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Date: Thu, 10 Dec 2020 15:26:19 +0100 Message-Id: <20201210142602.627793598@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201210142602.361598591@linuxfoundation.org> References: <20201210142602.361598591@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antoine Tenart [ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ] Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the hooks as, while it's an expected value for a bridge, routing expects PACKET_HOST. The change is undone later on after hook traversal. This can be seen with pairs of functions updating skb>pkt_type and then reverting it to its original value: For hook NF_INET_PRE_ROUTING: setup_pre_routing / br_nf_pre_routing_finish For hook NF_INET_FORWARD: br_nf_forward_ip / br_nf_forward_finish But the third case where netfilter does this, for hook NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing but never reverted. A comment says: /* We assume any code from br_dev_queue_push_xmit onwards doesn't care * about the value of skb->pkt_type. */ But when having a tunnel (say vxlan) attached to a bridge we have the following call trace: br_nf_pre_routing br_nf_pre_routing_ipv6 br_nf_pre_routing_finish br_nf_forward_ip br_nf_forward_finish br_nf_post_routing <- pkt_type is updated to PACKET_HOST br_nf_dev_queue_xmit <- but not reverted to its original value vxlan_xmit vxlan_xmit_one skb_tunnel_check_pmtu <- a check on pkt_type is performed In this specific case, this creates issues such as when an ICMPv6 PTB should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST and returns early). If the comment is right and no one cares about the value of skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting it to its original value should be safe. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Antoine Tenart Reviewed-by: Florian Westphal Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_netfilter_hooks.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -716,6 +716,11 @@ static int br_nf_dev_queue_xmit(struct n mtu_reserved = nf_bridge_mtu_reduction(skb); mtu = skb->dev->mtu; + if (nf_bridge->pkt_otherhost) { + skb->pkt_type = PACKET_OTHERHOST; + nf_bridge->pkt_otherhost = false; + } + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) mtu = nf_bridge->frag_max_size; @@ -809,8 +814,6 @@ static unsigned int br_nf_post_routing(v else return NF_ACCEPT; - /* We assume any code from br_dev_queue_push_xmit onwards doesn't care - * about the value of skb->pkt_type. */ if (skb->pkt_type == PACKET_OTHERHOST) { skb->pkt_type = PACKET_HOST; nf_bridge->pkt_otherhost = true;