| Message ID | 20210624090135.22406-1-geokohma@cisco.com (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] ipv6/netfilter: Drop Packet Too Big with invalid payload | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | fail | Series targets non-next tree, but doesn't contain any Fixes tags |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for net |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | success | CCed 8 of 8 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 21 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
On 24.06.2021 11:05, Florian Westphal wrote: > Georg Kohmann <geokohma@cisco.com> wrote: >> PMTU is updated even though received ICMPv6 PTB do not match any >> transmitted traffic. This breaks TAHI IPv6 Core Conformance Test >> Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1]. >> >> Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should >> appropriately validate the payload of ICMPv6 PTB messages to ensure >> these are received in response to transmitted traffic (i.e., a reported >> error condition that corresponds to an IPv6 packet actually sent by the >> application) per [ICMPv6]." >> >> nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of >> ICMPv6 error packet is not related to an existing connection. Drop PTB >> packet when this occur. This will prevent ipv6 from handling the packet >> and update the PMTU. > This is intentional. We try to not auto-drop packets in conntrack. > > Packet is marked as invalid, users can add nft/iptables rules to discard > such packets if they want to do so. Ah, dropping patch then, thank you.
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c index facd8c6..797cd42 100644 --- a/net/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/netfilter/nf_conntrack_proto_icmpv6.c @@ -139,6 +139,7 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl, const struct icmp6hdr *icmp6h; struct icmp6hdr _ih; int type; + int ret; icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih); if (icmp6h == NULL) { @@ -167,8 +168,12 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl, memcpy(&outer_daddr.ip6, &ipv6_hdr(skb)->daddr, sizeof(outer_daddr.ip6)); dataoff += sizeof(*icmp6h); - return nf_conntrack_inet_error(tmpl, skb, dataoff, state, - IPPROTO_ICMPV6, &outer_daddr); + ret = nf_conntrack_inet_error(tmpl, skb, dataoff, state, + IPPROTO_ICMPV6, &outer_daddr); + if (icmp6h->icmp6_type == ICMPV6_PKT_TOOBIG && + ret == -NF_ACCEPT) + return -NF_DROP; + return ret; } #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
PMTU is updated even though received ICMPv6 PTB do not match any transmitted traffic. This breaks TAHI IPv6 Core Conformance Test Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1]. Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should appropriately validate the payload of ICMPv6 PTB messages to ensure these are received in response to transmitted traffic (i.e., a reported error condition that corresponds to an IPv6 packet actually sent by the application) per [ICMPv6]." nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of ICMPv6 error packet is not related to an existing connection. Drop PTB packet when this occur. This will prevent ipv6 from handling the packet and update the PMTU. The included test script below use ICMPv6 echo requests and PTB with an invalid ICMPv6 identifier to check whether the host under test will ignore the PTB or not. The host should not fragment the last echo response. [1] https://www.ipv6ready.org/docs/Core_Conformance_5_0_1.pdf ===== SCRIPT FOR SIMULATING TEST v6LC.4.1.12. ===== from scapy.all import * def send_packet_too_big(addr, reply, mtu, id): reply[ICMPv6EchoReply].id = id I=IPv6(dst=addr) PacketTooBig=ICMPv6PacketTooBig(mtu=mtu, code=255) reply.data = reply.data[:mtu-len(I/PacketTooBig/reply)] reply[IPv6].fl = 0 packet = I/PacketTooBig/reply del packet.cksum send(packet) def send_echo_request(addr, payload, id=0, wait=True): I=IPv6(dst=addr) EchoRequest=ICMPv6EchoRequest(data=payload) EchoRequest.id = id if wait: return sr1(I/EchoRequest, timeout=5) else: return send(I/EchoRequest) def validate_packets(addr): packets = sniff(filter = "ip6 and host {}".format(addr), timeout=2) for packet in packets: if IPv6ExtHdrFragment in packet[IPv6]: if ICMPv6EchoReply in packet[IPv6][IPv6ExtHdrFragment]: print("Fail - Received a fragmented echo") return print("Success - No fragmented echo reply received") if __name__ == '__main__': print("Simulating IPv6 Core Conformance Test v6LC4.1.12") addr = sys.argv[1] thread = threading.Thread(target=validate_packets, args=(addr,)) thread.start() echo_reply = send_echo_request(addr, 'A'*1400, id=0) if echo_reply: send_packet_too_big(addr, echo_reply, mtu=1300, id=1) send_echo_request(addr, 'A'*1400, id=0, wait=False) ===== END OF SCRIPT ===== Signed-off-by: Georg Kohmann <geokohma@cisco.com> --- net/netfilter/nf_conntrack_proto_icmpv6.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)