nat64: Drop fragmented v4 packets as well as those with options

In the other direction we also drop packets with options, which covers fragmented packets. Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
2024-05-06 15:54:53 +00:00 · 2021-10-01 00:08:11 +02:00
parent 0c2dd5e5cf
commit 7ec0aabbb0
1 changed files with 10 additions and 3 deletions
--- a/nat64-bpf/nat64_kern.c
+++ b/nat64-bpf/nat64_kern.c
@@ -91,10 +91,17 @@ static int nat64_handle_v4(struct __sk_buff *skb, struct hdr_cursor *nh)
         */
        ret = TC_ACT_SHOT;

+        /* we don't bother dealing with IP options or fragmented packets. The
+         * latter are identified by the 'frag_off' field having a value (either
+         * the MF bit, or the fragmet offset, or both). However, this field also
+         * contains the "don't fragment" (DF) bit, which we ignore, so mask that
+         * out. The DF is the second-most-significant bit (as bit 0 is
+         * reserved).
+         */
        iphdr_len = iph->ihl * 4;
-        /* drop packets with IP options */
-        if (iphdr_len != sizeof(struct iphdr)) {
-                DBG("v4: pkt src/dst %pI4/%pI4 has IP options, dropping\n",
+        if (iphdr_len != sizeof(struct iphdr) ||
+            (iph->frag_off & ~bpf_htons(1<<14))) {
+                DBG("v4: pkt src/dst %pI4/%pI4 has IP options or is fragmented, dropping\n",
                    &iph->daddr, &iph->saddr);
                goto out;
        }