netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport

This is overly conservative and not flexible at all, so better let them
go through and let the filtering policy decide what to do with them. We
use skb_header_pointer() all over the place so we would just fail to
match when trying to access fields from malformed traffic.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h
index 39b7b717b5404ba4f7e57c55f200350661dbab59..d150b50662017378644c8f3ccf0218ecceaa2331 100644 (file)
--- a/include/net/netfilter/nf_tables_ipv6.h
+++ b/include/net/netfilter/nf_tables_ipv6.h
@@ -4,7 +4,7 @@
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <net/ipv6.h>
 
-static inline int
+static inline void
 nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
                     struct sk_buff *skb,
                     const struct nf_hook_state *state)
@@ -17,15 +17,13 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
        protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);
        if (protohdr < 0) {
                nft_set_pktinfo_proto_unspec(pkt, skb);
-               return -1;
+               return;
        }
 
        pkt->tprot_set = true;
        pkt->tprot = protohdr;
        pkt->xt.thoff = thoff;
        pkt->xt.fragoff = frag_off;
-
-       return 0;
 }
 
 static inline int

diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index 30b22f4dff55e7cfc5f83a3549192f54615c8701..05d05926962ab5baa90ee2de4ac63584c8408841 100644 (file)
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -22,9 +22,7 @@ static unsigned int nft_do_chain_ipv6(void *priv,
 {
        struct nft_pktinfo pkt;
 
-       /* malformed packet, drop it */
-       if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
-               return NF_DROP;
+       nft_set_pktinfo_ipv6(&pkt, skb, state);
 
        return nft_do_chain(&pkt, priv);
 }

diff --git a/net/ipv6/netfilter/nft_chain_route_ipv6.c b/net/ipv6/netfilter/nft_chain_route_ipv6.c
index 71d995ff3108fe001fc2318aa0e7c76c3cd9b1f8..01eb0f658366964bd3fc5feadbdb8b356625b9ec 100644 (file)
--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
@@ -32,9 +32,7 @@ static unsigned int nf_route_table_hook(void *priv,
        u_int8_t hop_limit;
        u32 mark, flowlabel;
 
-       /* malformed packet, drop it */
-       if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
-               return NF_DROP;
+       nft_set_pktinfo_ipv6(&pkt, skb, state);
 
        /* save source/dest address, mark, hoplimit, flowlabel, priority */
        memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));