]> git.baikalelectronics.ru Git - kernel.git/commit
netfilter: remove defensive check on malformed packets from raw sockets
authorPablo Neira Ayuso <pablo@netfilter.org>
Sat, 30 Dec 2017 21:41:46 +0000 (22:41 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 8 Jan 2018 17:11:04 +0000 (18:11 +0100)
commit38ef4f5c1dd9ca0621b44709bc76ca36689e9ad1
tree47f8be7118f28a8d3f4920968c96d3cb596d7ef2
parentc13d0de78185aea82cfe836abf522a5b3b3b3565
netfilter: remove defensive check on malformed packets from raw sockets

Users cannot forge malformed IPv4/IPv6 headers via raw sockets that they
can inject into the stack. Specifically, not for IPv4 since fe6cd7b1b3c9
("AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl
(v2)"). IPv6 raw sockets also ensure that packets have a well-formed
IPv6 header available in the skbuff.

At quick glance, br_netfilter also validates layer 3 headers and it
drops malformed both IPv4 and IPv6 packets.

Therefore, let's remove this defensive check all over the place.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 files changed:
net/ipv4/netfilter/iptable_filter.c
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/iptable_raw.c
net/ipv4/netfilter/iptable_security.c
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv4/netfilter/nft_chain_route_ipv4.c
net/ipv6/netfilter/ip6table_mangle.c
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/netfilter/nf_tables_inet.c