Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* Bug: ebtables snat drops small packets
@ 2020-10-14  9:31 timothee.cocault
  2020-10-14  9:48 ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: timothee.cocault @ 2020-10-14  9:31 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal; +Cc: netfilter-devel

Hi !

I noticed a bug when using the snat module of ebtables.
If the ethernet payload of a packet is less than 12 bytes, the packet gets dropped.

I traced it down to this commit which changes calls to `skb_make_writable` to `skb_ensure_writable` :
https://github.com/torvalds/linux/commit/c1a8311679014a79b04c039e32bde34fb68952fd

The diff gives a clear hint of the bug. For example, in `net/bridge/netfilter/ebt_snat.c` :

-   if (!skb_make_writable(skb, 0))
+   if (skb_ensure_writable(skb, ETH_ALEN * 2))
        return EBT_DROP;

The goal was to make the ethernet source and destination address writable, but the function seems to expects a number of bytes after the Ethernet header.
Hence, packets with a payload < 12 bytes are dropped. It probably applies to the other changes of the commit too.

I can confirm that setting the `write_len` parameter back to 0 "fixes" the bug, but I'm not familiar with the code enough to know if the call is needed altogether.


Given below is a "minimal" working example to reproduce the bug:

Setup two bridges, linked with veth adapters:

    ip link add veth1 type veth peer name veth2
    ip link set veth1 address 66:47:61:00:00:01
    ip link set veth2 address 66:47:61:00:00:02
    ip link add br1 type bridge
    ip link add br2 type bridge
    ip link set veth1 master br1
    ip link set veth2 master br2
    ip link set br1 up
    ip link set br2 up
    ip link set veth1 up
    ip link set veth2 up

Add a rule that changes the source of 802.1X packets from br1 to br2:

    ebtables -t nat -A POSTROUTING -s 66:47:61:00:00:01 -p 0x888e -j snat --to-src 66:47:61:00:00:03 --snat-target ACCEPT

Send a packet to br2 (a dummy 802.1X packet with 12 bytes of payload):

    #!/usr/bin/env python3
    import socket
    size = 12
    s = socket.socket(socket.AF_PACKET, socket.SOCK_DGRAM)
    addr = ('br1', 0x888e, 0, 1, b'\x66\x47\x61\x00\x00\x02')
    s.sendto(b'\xff' * size, addr)
    s.close()

If we run tcpdump/wireshark on br2, we can see that the packets are present, with the snatted source MAC (:03).
However, if we send a packet with size = 11, the packet is dropped and we don't see it on br2.


Regards,
Timothée.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Bug: ebtables snat drops small packets
  2020-10-14  9:31 Bug: ebtables snat drops small packets timothee.cocault
@ 2020-10-14  9:48 ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2020-10-14  9:48 UTC (permalink / raw)
  To: timothee.cocault; +Cc: Pablo Neira Ayuso, Florian Westphal, netfilter-devel

timothee.cocault@orange.com <timothee.cocault@orange.com> wrote:
> Hi !
> 
> I noticed a bug when using the snat module of ebtables.
> If the ethernet payload of a packet is less than 12 bytes, the packet gets dropped.
> 
> I traced it down to this commit which changes calls to `skb_make_writable` to `skb_ensure_writable` :
> https://github.com/torvalds/linux/commit/c1a8311679014a79b04c039e32bde34fb68952fd
> 
> The diff gives a clear hint of the bug. For example, in `net/bridge/netfilter/ebt_snat.c` :
> 
> -   if (!skb_make_writable(skb, 0))
> +   if (skb_ensure_writable(skb, ETH_ALEN * 2))
>         return EBT_DROP;

Can you send a formal patch that fixes this up for all callers?

Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-14  9:31 Bug: ebtables snat drops small packets timothee.cocault
2020-10-14  9:48 ` Florian Westphal

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git