Hi
The following patch did resolve the issue for me on 5.16.0-rc8. I will
also test it on 4.19.0-*-amd64 as soon as I have a working build env for
a buster kernel..
cheerio
Steve
-------- Weitergeleitete Nachricht --------
Betreff: Re: nftables stateless NAT in raw table mangles fragmented UDP
packets
Datum: Fri, 31 Dec 2021 14:39:02 +0100
Von: Pablo Neira Ayuso <[email protected]>
An: Steffen Weinreich <[email protected]>
Kopie (CC): [email protected]
On Fri, Dec 31, 2021 at 02:37:47PM +0100, Pablo Neira Ayuso wrote:
> Hi,
>
> On Fri, Dec 31, 2021 at 01:02:13PM +0100, Steffen Weinreich wrote:
> > Hi
> > > We have using kernel 5.10 and nftables(0.9.8-3.1) from debian for a
> > stateless NAT GW. We are using the nftables "raw" tables to replace
> > statically source and destination addresses for pakets traversing the
> > host with two nftables map, without any connection tracking. The bug is
> > also reproducible in a Debian 5.16 kernel from experimental.
> > > If fragmented UDP packets are traversing the gateway the second
> fragment
> > gets modified at the location where in a non fragmented packet the UDP
> > checksum would be located.
> > > On the Sample below the packet content at 0x1a-0x1b was changes from
> > 0x61 0x61 to 0xba 0x9e
>
> Could you give a try to this kernel patch?
Wrong patch, attaching again.
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index bd689938a2e0..58e96a0fe0b4 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -546,6 +546,9 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
struct sk_buff *skb,
unsigned int *l4csum_offset)
{
+ if (pkt->fragoff)
+ return -1;
+
switch (pkt->tprot) {
case IPPROTO_TCP:
*l4csum_offset = offsetof(struct tcphdr, check);
