[PATCH nf] netfilter: nf_reject: init skb->dev for reset packet

Florian Westphal <fw@xxxxxxxxx> · Tue, 4 Jun 2024 14:03:05 +0200

skb_get_hash() triggers a (harmless) warn when neither skb->sk or skb->dev
is set.

In case of nf-generated tcp reset, both sk and dev are NULL:

WARNING: .. net/core/flow_dissector.c:1104
[..]
 skb_flow_dissect_flow_keys include/linux/skbuff.h:1536 [inline]
 skb_get_hash include/linux/skbuff.h:1578 [inline]
 nft_trace_init+0x7d/0x120 net/netfilter/nf_tables_trace.c:320
 nft_do_chain+0xb26/0xb90 net/netfilter/nf_tables_core.c:268
 nft_do_chain_ipv4+0x7a/0xa0 net/netfilter/nft_chain_filter.c:23
 nf_hook_slow+0x57/0x160 net/netfilter/core.c:626
 __ip_local_out+0x21d/0x260 net/ipv4/ip_output.c:118
 ip_local_out+0x26/0x1e0 net/ipv4/ip_output.c:127
 nf_send_reset+0x58c/0x700 net/ipv4/netfilter/nf_reject_ipv4.c:308
 nft_reject_ipv4_eval+0x53/0x90 net/ipv4/netfilter/nft_reject_ipv4.c:30
 [..]

Fixes: d0e13a1488ad ("flow_dissector: lookup netns by skb->sk if skb->dev is NULL")
Reported-by: Christoph Paasch <cpaasch@xxxxxxxxx>
Suggested-by: Paolo Abeni <pabeni@xxxxxxxxxx>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/494
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 1 +
 net/ipv6/netfilter/nf_reject_ipv6.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 04504b2b51df..9333a779eab2 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -278,6 +278,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
 	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;
 
+	nskb->dev = skb_dst(nskb)->dev;
 	nf_ct_attach(nskb, oldskb);
 	nf_ct_set_closing(skb_nfct(oldskb));
 
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index dedee264b8f6..386223311579 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -334,6 +334,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
 		return;
 	}
 
+	nskb->dev = dst->dev;
 	skb_dst_set(nskb, dst);
 
 	nskb->mark = fl6.flowi6_mark;
-- 
2.44.2








