Bug: ebtables snat drops small packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi !

I noticed a bug when using the snat module of ebtables.
If the ethernet payload of a packet is less than 12 bytes, the packet gets dropped.

I traced it down to this commit which changes calls to `skb_make_writable` to `skb_ensure_writable` :
https://github.com/torvalds/linux/commit/c1a8311679014a79b04c039e32bde34fb68952fd

The diff gives a clear hint of the bug. For example, in `net/bridge/netfilter/ebt_snat.c` :

-   if (!skb_make_writable(skb, 0))
+   if (skb_ensure_writable(skb, ETH_ALEN * 2))
        return EBT_DROP;

The goal was to make the ethernet source and destination address writable, but the function seems to expects a number of bytes after the Ethernet header.
Hence, packets with a payload < 12 bytes are dropped. It probably applies to the other changes of the commit too.

I can confirm that setting the `write_len` parameter back to 0 "fixes" the bug, but I'm not familiar with the code enough to know if the call is needed altogether.


Given below is a "minimal" working example to reproduce the bug:

Setup two bridges, linked with veth adapters:

    ip link add veth1 type veth peer name veth2
    ip link set veth1 address 66:47:61:00:00:01
    ip link set veth2 address 66:47:61:00:00:02
    ip link add br1 type bridge
    ip link add br2 type bridge
    ip link set veth1 master br1
    ip link set veth2 master br2
    ip link set br1 up
    ip link set br2 up
    ip link set veth1 up
    ip link set veth2 up

Add a rule that changes the source of 802.1X packets from br1 to br2:

    ebtables -t nat -A POSTROUTING -s 66:47:61:00:00:01 -p 0x888e -j snat --to-src 66:47:61:00:00:03 --snat-target ACCEPT

Send a packet to br2 (a dummy 802.1X packet with 12 bytes of payload):

    #!/usr/bin/env python3
    import socket
    size = 12
    s = socket.socket(socket.AF_PACKET, socket.SOCK_DGRAM)
    addr = ('br1', 0x888e, 0, 1, b'\x66\x47\x61\x00\x00\x02')
    s.sendto(b'\xff' * size, addr)
    s.close()

If we run tcpdump/wireshark on br2, we can see that the packets are present, with the snatted source MAC (:03).
However, if we send a packet with size = 11, the packet is dropped and we don't see it on br2.


Regards,
Timothée.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux