Patch "netfilter: allow ipv6 fragments to arrive on different devices" has been added to the 6.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 19 Aug 2024 10:21:01 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: allow ipv6 fragments to arrive on different devices

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-allow-ipv6-fragments-to-arrive-on-differen.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b351ec2203c8b888ec8128ee4556ba3f2c84d7b8
Author: Tom Hughes <tom@xxxxxxxxxx>
Date:   Tue Aug 6 12:40:52 2024 +0100

    netfilter: allow ipv6 fragments to arrive on different devices
    
    [ Upstream commit 3cd740b985963f874a1a094f1969e998b9d05554 ]
    
    Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
    for multicast and link-local packets") modified the ipv6 fragment
    reassembly logic to distinguish frag queues by device for multicast
    and link-local packets but in fact only the main reassembly code
    limits the use of the device to those address types and the netfilter
    reassembly code uses the device for all packets.
    
    This means that if fragments of a packet arrive on different interfaces
    then netfilter will fail to reassemble them and the fragments will be
    expired without going any further through the filters.
    
    Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
    Signed-off-by: Tom Hughes <tom@xxxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 5e1b50c6a44d2..3e9779ed7daec 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -154,6 +154,10 @@ static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user,
 	};
 	struct inet_frag_queue *q;
 
+	if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST |
+					    IPV6_ADDR_LINKLOCAL)))
+		key.iif = 0;
+
 	q = inet_frag_find(nf_frag->fqdir, &key);
 	if (!q)
 		return NULL;







