From nobody Mon Jun 8 18:57:48 2026 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8901B3ED5B8 for ; Wed, 27 May 2026 09:46:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779875194; cv=none; b=j995IHBCiNsrieIN22ShcEkYVhmxfUbdDZKn51MqutvocDA34FY1CvZjBqhdJocagib493qvnJxFxNxd8We9HfgSZCSqZOujAC0WTUzeJnhfHdKVEM43Fgv3yygCOwwazQcRF2moucpa4KQRbhrazhH3tETj0x/KmUxh9iXu/kc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779875194; c=relaxed/simple; bh=FhOru0LkjtK9KlCo9Su4OyMriEnBTJCGfVVgls09jNc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iG5vdAw+8aCCvyDVaUONGDq2+565vnZ+DOV2+FFJi+o/+bNL5f+G8okizQCJ2yR4+UkOolxrWVE+moHf1C8rn9FObikinTkiCs2ljUrvwto7jrbB3tyiXQ2W6eYfGP/LqLO8u+7KuL2ecX/ppqdnQiPvYf73uw1RZamBEJ0ZvPk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=aerlync.com; spf=pass smtp.mailfrom=aerlync.com; dkim=fail (0-bit key) header.d=aerlync.com header.i=@aerlync.com header.b=kMx62GHY reason="key not found in DNS"; arc=none smtp.client-ip=209.85.215.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=aerlync.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aerlync.com Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=aerlync.com header.i=@aerlync.com header.b="kMx62GHY" Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-c7ffe8eeaf2so4688365a12.0 for ; Wed, 27 May 2026 02:46:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aerlync.com; s=google; t=1779875189; x=1780479989; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PPeZ4rIumdd2AJnMmbRbkMdKC8gRmM+285vY/vqYczk=; b=kMx62GHYY3TfIRqJWmwzhM4ffQNRQxCjVFJtxwHkrVzeH3CmOcKrs7830ashCZxXjw QwqyJh8XNSWCsPzktPEB/mZuH7SCMD1Lp2c6EJBFClVY4LrB+cB6VYcLHKnwBl9HQVRf 5A10aUZX0QnH//e2iIPZqmtvBkeOXNIar1t76uFZuJ3VAA9sS8u2PtMzewVThJVSlgNR 9J8S855rpnY7UikmX6w6fIkza9FzYCV2xDKAYOMk9KGM5CYnf9KnOPRHrIdnqf8JHEXs tD7T4Zn/Y5ID/bCCf0L5EBmTDD2Adh77CVkkPdBE0HI65CEZEnD235O3EGo+3DfwLO8S fEjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779875189; x=1780479989; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=PPeZ4rIumdd2AJnMmbRbkMdKC8gRmM+285vY/vqYczk=; b=XtVfiUBZ74OuDfQ+C482mZTJwoRQoqu44WxBAZWvzCTskU+WkqIcVejUmT2XjtI9gU /TR+H6vpYNAydtVT2+XIgsV5ZAwByD8MmJVc1lBTK16VC3zLGZdYVxqrHCxzr526Zd47 4cMS3oCpJvuZbNSG36XIneAPe+jzRaRAQs/uZm+pT0W3lPqymsFLA024MQqPhTONX39F q6KtU2PtoJXLTya2ahnIgCT9/cleR6iDG9hXmwVkLuX9Vn09ebjHABCH2Bva4Gbm/n9C njiyY1XqPjL+8r/WTx49FyH/z+eRkMJ8/mI8g7Bm5WHohSeYZOuMit54naW4k2x2nbx5 pMew== X-Forwarded-Encrypted: i=1; AFNElJ/bXOKKlcdE6b4+7YjIxDIUo9j0RtSzur0o+R0SA2LQ2Zkkmli1n1fyyBy6AQm5xA6vuBa/tme3qMYTXlI=@vger.kernel.org X-Gm-Message-State: AOJu0YzMWd7D9JFSe9I2yZDR8xImxXRPqL+BF294xr029uhAIubsx0F7 cZDmsjuU2IGIepskWNTpgmxvydsQXhshkm8sDg8WpEVGAjlF47fwJn9FnC/spRFJ6MA= X-Gm-Gg: Acq92OFZuizbCcQ4jzMdcdj5zzAZFSfIHrIMRAk5DwH8yHxtdt2jIye3jM50KM0dYOO lLCpHIgt/SfdOzM97HCWo9PWTeNeZSlxh+/ne+hS0Tb/vh/4hJjG4kmzHJeCc3E5O/lmKF1QPMS 4KbVRmImdNebOF9LCXjq0Iu3wgZxvvvTsVywOPS3SNB88XWj4o93zxtxErrKLnDoATVPFd6kCu5 8sgblXCmatx4zzBGrM1QhHGOxxCSVD93DoUEkb5Swji0WIqrP+gSA/bU8gt5Hj86P9mAIaj2MV8 o33jKl6qepiSUa3KVubTKLlGzqupYF06GkA44D7pj5kEU1kXvVhI7DEUMaPDEkB5/gE7EJNhnUc SrLRZiaV1m+sQRkSzJUgCveApEEQwM7B+ywd5CJi6jKuRrUz4zNopTnBi6LkUHZ3UT/Top3yTum s49uBwfW3+GyuYKdfBDIrGGUcNaEE8q1FaaQBy+7fzNu7U2a6TtnzNaG38ulJShnPcUy5u/g== X-Received: by 2002:a05:6a00:1acb:b0:82f:6e7:1527 with SMTP id d2e1a72fcca58-8415f32f286mr21808866b3a.23.1779875189021; Wed, 27 May 2026 02:46:29 -0700 (PDT) Received: from manjaro ([103.186.230.13]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-841d7301255sm2063068b3a.57.2026.05.27.02.46.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2026 02:46:28 -0700 (PDT) From: Sayooj K Karun To: netdev@vger.kernel.org Cc: dsahern@kernel.org, idosch@nvidia.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-kernel@vger.kernel.org, aleksander.lobakin@intel.com, Sayooj K Karun Subject: [PATCH v2 net] net/ipv6: icmp: fix is_ineligible() to block errors for Redirect packets Date: Wed, 27 May 2026 15:16:01 +0530 Message-ID: <20260527094601.23276-1-sayooj@aerlync.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260526101622.38536-1-sayooj@aerlync.com> References: <20260526101622.38536-1-sayooj@aerlync.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Discovered while reading RFC 4443 and cross-checking the ICMPv6 stack, which in section 2.4(e.2) mandates that an ICMPv6 error MUST NOT be originated in response to an ICMPv6 Redirect message (type 137). is_ineligible() is called by icmpv6_send() to decide whether a received packet is eligible to trigger an ICMPv6 error. It uses ICMPV6_INFOMSG_MASK (0x80) to suppress errors for ICMPv6 error types (bit 7 clear) while passing informational types (bit 7 set). However, NDISC_REDIRECT has type 137 (0x89), which has bit 7 set, so it passes the mask check and is_ineligible() returns false and icmpv6_send() proceeds to generate an error in response to a Redirect, violating the RFC. A triggerable scenario: a host with an ip6tables/nftables REJECT rule applied to incoming ICMPv6 traffic (e.g., dropping Redirects from an untrusted router). When the Redirect hits the REJECT rule, nf_send_unreach6() calls icmpv6_send() with the Redirect as the triggering skb. Without this fix, is_ineligible() returns false and a Destination Unreachable is erroneously transmitted in response. Add an explicit check for NDISC_REDIRECT so that Redirect packets are treated as ineligible, suppressing ICMPv6 error generation in response to them. Signed-off-by: Sayooj K Karun --- The bug can be triggered via a netfilter REJECT rule targeting ICMPv6 Redirect packets. Consider a host with the following rule: ip6tables -A INPUT -s -p icmpv6 --icmpv6-type redirect= \ -j REJECT --reject-with icmp6-adm-prohibited When a Redirect packet (type 137) arrives from that source, the packet enters ip6_input(), which invokes NF_HOOK(NF_INET_LOCAL_IN). The netfilter framework iterates the registered hook entries via nf_hook_slow(), reaches the ip6tables filter table, and evaluates the rules. The incoming Redirect matches the rule, causing reject_tg6() (net/ipv6/netfilter/ip6t_REJECT.c) to be called as the rule's target action. reject_tg6() calls nf_send_unreach6(), which in turn calls icmpv6_send() with the Redirect packet as the triggering skb. Inside icmpv6_send(), is_ineligible() is called to decide whether to suppress the error. The function detects that the inner protocol is IPPROTO_ICMPV6 and reads the ICMPv6 type byte. NDISC_REDIRECT is type 137 (0x89). The check !(*tp & ICMPV6_INFOMSG_MASK) evaluates as !(0x89 & 0x80) =3D !(0x80) =3D false, so is_ineligible() falls through and returns false and the kernel proceeds to transmit a Destination Unreachable in response to the Redirect, violating RFC 4443 section 2.4(e.2). Tested using network namespaces with the above ip6tables rule. Without the fix, tcpdump confirms a Destination Unreachable is transmitted in response to the Redirect. With the fix applied and verified under QEMU, no error is generated. From the RFC: (e) An ICMPv6 error message MUST NOT be originated as a result of receiving the following: (e.1) An ICMPv6 error message. (e.2) An ICMPv6 redirect message [IPv6-DISC]. ... net/ipv6/icmp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index efb23807a026..3fdb3a97dd8e 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -157,7 +157,8 @@ static bool is_ineligible(const struct sk_buff *skb) */ if (!tp && frag_off !=3D 0) return false; - else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK)) + else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK) || + *tp =3D=3D NDISC_REDIRECT) return true; } return false; --=20 2.53.0