From nobody Mon Jun 8 18:57:55 2026 Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B1E53AC0FB for ; Wed, 27 May 2026 09:51:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779875485; cv=none; b=j1KcgFhijHnU1s6bReZLXNQw2vitPYtK8XXRY+6qIquKvTCtTrFV2UhfnGqaEvYPw1ZnWOenyIqSCe3sDmZC9ipR2xlkbICyc6LRr/to1QBMTBgLrFHIsQ8tdVjrP0Mfl95g/wap1tn8WU5uPHubr9RueL0Rn7ljuyPO3hGnNqQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779875485; c=relaxed/simple; bh=FhOru0LkjtK9KlCo9Su4OyMriEnBTJCGfVVgls09jNc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=B2X07iczawsT80uFqbfHaNIDgPB78jsliAch45aGfSE4eqhIdh3VYVnOmEH3ubukHKY6dXOwM9u3A/4paKAYPJeK49OA1vq5k9TgJ/nO9/NguuqrweDOY5QJV9THe5mk/kuja0aBLzIHuxaOPoGi9+iSR/9CWK07VmDjgtiytWQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=aerlync.com; spf=pass smtp.mailfrom=aerlync.com; dkim=fail (0-bit key) header.d=aerlync.com header.i=@aerlync.com header.b=NDkFc10s reason="key not found in DNS"; arc=none smtp.client-ip=209.85.215.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=aerlync.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aerlync.com Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=aerlync.com header.i=@aerlync.com header.b="NDkFc10s" Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-c80291e6237so7918195a12.0 for ; Wed, 27 May 2026 02:51:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aerlync.com; s=google; t=1779875482; x=1780480282; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=PPeZ4rIumdd2AJnMmbRbkMdKC8gRmM+285vY/vqYczk=; b=NDkFc10sbyzP5yGuy/pgSxQsIxx3eq8N9p7j/2FL/Uu/Bn4MTLDJo6Wgr9nD5IQJQZ UUKkzovChcTDSOLDodWqM1S/CvxRVSLx3wITyOfGxkrhx8FmmXrPgCbAR0KZ4B1hO27+ 9VJMLWau5YZ9RksZk1d+RLvx11cagK9sagxBpC+g0dyCBcncKQywSKXSpI4qw/VeoZF2 Wv265sLJmLSWyF0pFSWnAi2YyQFi0xGCX9SlvlIi8YqODaT4wn5f71SWOQEdKy32w7XO rwk9QnPOV6A8Igg+PRTDIWb17qBme+dic0Hd6PON9ya1npNQ2XRNU3Y7PBMc+eGkhAEB OVSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779875482; x=1780480282; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PPeZ4rIumdd2AJnMmbRbkMdKC8gRmM+285vY/vqYczk=; b=fZ/KJWIlBkk76A6uWvDwSkXM7EeygL4pP/+OX8tTiHgTPMEodivE/T/Gt3djKGRf58 iVsIMtyk/8nbMOZptHm+gu+e6WnTvfacJVp1nzYxh81TEPY0F110d4Wgc82TW9YdLXae oSCICYsaNwakGCKcCuHqC+2Tv24eC/4c8SP98XG8lHLCGlxYu587H4RFxAXh95yh2Wj4 B9gZVzKmZFH+IuFXpPfIKrfmcLZHdE0+QkXRP8Ajs7+HGKqK1ZpXjZNebQQB2lECC7k+ HxfSfOtP3dKuRO0MTHMdwtD5Pl267RshHnc8wqIezk+xBzDze0RmKi3xbY3GPewA0iqz HZZA== X-Forwarded-Encrypted: i=1; AFNElJ8/yqcDT7utqVdmG3SYLeIt73FjWvevoO/LF4Jv63Qo2dPGR90IFWfud3efYYWPINzBgOEASCDLaL+CHQM=@vger.kernel.org X-Gm-Message-State: AOJu0Yyjgh43H7vcukQkNoJjOKPr6NHD/irbcKw19iGJRTIFK64gHadd Z9V769wN5ez/xaIbsDzULniqTG3PvXKm3PYN9oBkV8HA6GxYOqfy7H/VzASjsgD2B9E= X-Gm-Gg: Acq92OH1aI3QIjsisKnqiNrFF7/y2WqHz8X+r6uK5G0BpJ19FigjlsETI4bWM3eonFP 3k7Njejbsq1PoZXtFYLw0MCxYmp1nWZu062nScYSgKwuHmC9C04PO9VQ/G2qaoaW70wIWRR4d6o 7/d6yv3nCxR+Rcv1CfNN119rNAZ/1sP3qsi8ZqDOpFCeeH8QqQgqZTMDsVZT7Fbn3HZX1YhESI2 R/xybZ96P2w8gGgpeksnYMks0+ctIJnz1tSGOaVhqAtS0QDEBdoGbJj1Xq1QN3Tahg5CpelCNyw YPHF5e5k7dxNlkSn9Dg6Gyaql8LssqfEXJdAk7AsP+Uh6xoPV1/cuTFFemqgPJ+Cm/5Bd80JhU9 wWfKnh4WSXWY+t0emQSVyXF6bcdxHRbHmxb636wm5s9+OkUn1nMLFlqi6ea+l5yhICJxwzUIq6E VFjoyDhVMER2zaE/2YJFFSdWWT6jstE/NFlGE8AugnSVT+dK67fdL8xDslhEjnHcjpo3+dKQ== X-Received: by 2002:a05:6a21:4d8d:b0:3a2:dabf:fef9 with SMTP id adf61e73a8af0-3b328eb2e40mr24190306637.27.1779875482422; Wed, 27 May 2026 02:51:22 -0700 (PDT) Received: from manjaro ([103.186.230.13]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c8520561e94sm13332089a12.22.2026.05.27.02.51.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2026 02:51:22 -0700 (PDT) From: Sayooj K Karun To: netdev@vger.kernel.org Cc: dsahern@kernel.org, idosch@nvidia.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-kernel@vger.kernel.org, aleksander.lobakin@intel.com, Sayooj K Karun Subject: [PATCH v2 net] net/ipv6: icmp: fix is_ineligible() to block errors for Redirect packets Date: Wed, 27 May 2026 15:20:55 +0530 Message-ID: <20260527095055.23413-1-sayooj@aerlync.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Discovered while reading RFC 4443 and cross-checking the ICMPv6 stack, which in section 2.4(e.2) mandates that an ICMPv6 error MUST NOT be originated in response to an ICMPv6 Redirect message (type 137). is_ineligible() is called by icmpv6_send() to decide whether a received packet is eligible to trigger an ICMPv6 error. It uses ICMPV6_INFOMSG_MASK (0x80) to suppress errors for ICMPv6 error types (bit 7 clear) while passing informational types (bit 7 set). However, NDISC_REDIRECT has type 137 (0x89), which has bit 7 set, so it passes the mask check and is_ineligible() returns false and icmpv6_send() proceeds to generate an error in response to a Redirect, violating the RFC. A triggerable scenario: a host with an ip6tables/nftables REJECT rule applied to incoming ICMPv6 traffic (e.g., dropping Redirects from an untrusted router). When the Redirect hits the REJECT rule, nf_send_unreach6() calls icmpv6_send() with the Redirect as the triggering skb. Without this fix, is_ineligible() returns false and a Destination Unreachable is erroneously transmitted in response. Add an explicit check for NDISC_REDIRECT so that Redirect packets are treated as ineligible, suppressing ICMPv6 error generation in response to them. Signed-off-by: Sayooj K Karun --- The bug can be triggered via a netfilter REJECT rule targeting ICMPv6 Redirect packets. Consider a host with the following rule: ip6tables -A INPUT -s -p icmpv6 --icmpv6-type redirect= \ -j REJECT --reject-with icmp6-adm-prohibited When a Redirect packet (type 137) arrives from that source, the packet enters ip6_input(), which invokes NF_HOOK(NF_INET_LOCAL_IN). The netfilter framework iterates the registered hook entries via nf_hook_slow(), reaches the ip6tables filter table, and evaluates the rules. The incoming Redirect matches the rule, causing reject_tg6() (net/ipv6/netfilter/ip6t_REJECT.c) to be called as the rule's target action. reject_tg6() calls nf_send_unreach6(), which in turn calls icmpv6_send() with the Redirect packet as the triggering skb. Inside icmpv6_send(), is_ineligible() is called to decide whether to suppress the error. The function detects that the inner protocol is IPPROTO_ICMPV6 and reads the ICMPv6 type byte. NDISC_REDIRECT is type 137 (0x89). The check !(*tp & ICMPV6_INFOMSG_MASK) evaluates as !(0x89 & 0x80) =3D !(0x80) =3D false, so is_ineligible() falls through and returns false and the kernel proceeds to transmit a Destination Unreachable in response to the Redirect, violating RFC 4443 section 2.4(e.2). Tested using network namespaces with the above ip6tables rule. Without the fix, tcpdump confirms a Destination Unreachable is transmitted in response to the Redirect. With the fix applied and verified under QEMU, no error is generated. From the RFC: (e) An ICMPv6 error message MUST NOT be originated as a result of receiving the following: (e.1) An ICMPv6 error message. (e.2) An ICMPv6 redirect message [IPv6-DISC]. ... net/ipv6/icmp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index efb23807a026..3fdb3a97dd8e 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -157,7 +157,8 @@ static bool is_ineligible(const struct sk_buff *skb) */ if (!tp && frag_off !=3D 0) return false; - else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK)) + else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK) || + *tp =3D=3D NDISC_REDIRECT) return true; } return false; --=20 2.53.0