diff options
| author |   Pablo Neira Ayuso <pablo@netfilter.org> | 2017-12-30 22:41:46 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-08 18:11:04 +0100 |
| commit | a7f87b47e67e4341f6175cdb80e5c2eaadf30dcb (patch) | |
| tree | 47f8be7118f28a8d3f4920968c96d3cb596d7ef2 /net/netfilter | |
| parent | netfilter: meta: secpath support (diff) | |
| download | linux-dev-a7f87b47e67e4341f6175cdb80e5c2eaadf30dcb.tar.xz linux-dev-a7f87b47e67e4341f6175cdb80e5c2eaadf30dcb.zip | |
netfilter: remove defensive check on malformed packets from raw sockets
Users cannot forge malformed IPv4/IPv6 headers via raw sockets that they
can inject into the stack. Specifically, not for IPv4 since 55888dfb6ba7
("AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl
(v2)"). IPv6 raw sockets also ensure that packets have a well-formed
IPv6 header available in the skbuff.
At quick glance, br_netfilter also validates layer 3 headers and it
drops malformed both IPv4 and IPv6 packets.
Therefore, let's remove this defensive check all over the place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_tables_inet.c | 34 |
1 files changed, 1 insertions, 33 deletions
diff --git a/net/netfilter/nf_tables_inet.c b/net/netfilter/nf_tables_inet.c index 313987e2b1fe..58b9be7480bb 100644 --- a/net/netfilter/nf_tables_inet.c +++ b/net/netfilter/nf_tables_inet.c @@ -38,38 +38,6 @@ static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb, return nft_do_chain(&pkt, priv); } -static unsigned int nft_inet_output(void *priv, struct sk_buff *skb, - const struct nf_hook_state *state) -{ - struct nft_pktinfo pkt; - - nft_set_pktinfo(&pkt, skb, state); - - switch (state->pf) { - case NFPROTO_IPV4: - if (unlikely(skb->len < sizeof(struct iphdr) || - ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) { - if (net_ratelimit()) - pr_info("ignoring short SOCK_RAW packet\n"); - return NF_ACCEPT; - } - nft_set_pktinfo_ipv4(&pkt, skb); - break; - case NFPROTO_IPV6: - if (unlikely(skb->len < sizeof(struct ipv6hdr))) { - if (net_ratelimit()) - pr_info("ignoring short SOCK_RAW packet\n"); - return NF_ACCEPT; - } - nft_set_pktinfo_ipv6(&pkt, skb); - break; - default: - break; - } - - return nft_do_chain(&pkt, priv); -} - static struct nft_af_info nft_af_inet __read_mostly = { .family = NFPROTO_INET, .nhooks = NF_INET_NUMHOOKS, @@ -116,7 +84,7 @@ static const struct nf_chain_type filter_inet = { (1 << NF_INET_POST_ROUTING), .hooks = { [NF_INET_LOCAL_IN] = nft_do_chain_inet, - [NF_INET_LOCAL_OUT] = nft_inet_output, + [NF_INET_LOCAL_OUT] = nft_do_chain_inet, [NF_INET_FORWARD] = nft_do_chain_inet, [NF_INET_PRE_ROUTING] = nft_do_chain_inet, [NF_INET_POST_ROUTING] = nft_do_chain_inet, |