I have reproduced an issue affecting some nftables meta expressions on the egress hook.
With the following example ruleset:
table netdev test_ndev {
chain out {
type filter hook egress device "eth0" priority -190; policy accept;
meta l4proto udp log prefix "OUT__"
}
}
When small UDP packets (< 4 bytes payload) are sent from eth0, `meta l4proto udp` condition is not met because `NFT_PKTINFO_L4PROTO` is not set.
This happens because there is a comparison that checks if the transport header offset exceeds the total length.
This comparison does not take into account the fact that the skb network offset might be non-zero in egress mode (e.g., 14 bytes for Ethernet header).
Signed-off-by: Jorge Ortiz <jorge.ortiz.escribano@xxxxxxxxx>
---
include/net/netfilter/nf_tables_ipv4.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h
index 60a7d0ce3080..0f11568eaba6 100644
--- a/include/net/netfilter/nf_tables_ipv4.h
+++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -33,7 +33,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
thoff = skb_network_offset(pkt->skb) + (iph->ihl * 4);
if (pkt->skb->len < len)
return -1;
- else if (len < thoff)
+ else if (len + skb_network_offset(pkt->skb) < thoff)
return -1;
else if (thoff < sizeof(*iph))
return -1;
--
2.43.0
