diff options
| author | Florian Westphal <fw@strlen.de> | 2026-05-16 23:23:21 +0800 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2026-05-22 12:28:46 +0200 |
| commit | 968cc2c96390f06e56ed6a43f935bfebdefed28f (patch) | |
| tree | 7deb736a22c509d5e560980b5f47b63d871e18fd /include/linux/debug_locks.h | |
| parent | c376f07e16c02239ed44cabb97145d03f65b4d15 (diff) | |
netfilter: disable payload mangling in userns
Several parts of network stack rely on iph->ihl validation
done by network stack before PRE_ROUTING.
Disable this feature for user namespaces for now.
tcp option handling is likely safe even for LOCAL_IN, so this
this leaves tcp option mangling via nft_exthdr.c as-is.
I don't think these are the only means to alter packets, but these
appear to be relatively prominent.
This could be relaxed later. Example:
- allow userns for ingress hook.
- allow userns if base is transport header.
Also, we should revalidate or restrict generally:
- Don't allow linklayer writes to spill into network header
- restrict ipv4 and ipv6 to 'known safe' writes, e.g.
saddr/daddr/check/tos
Reported-by: Qi Tang <tpluszz77@gmail.com>
Reported-by: Tong Liu <lyutoon@gmail.com>
Tested-by: Qi Tang <tpluszz77@gmail.com>
Link: https://lore.kernel.org/netfilter-devel/20260515100411.3141-1-fw@strlen.de/
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/linux/debug_locks.h')
0 files changed, 0 insertions, 0 deletions