From 1aa9bc1f5e4d27b2b91fed74b9eb2e545e90065d Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Fri, 3 Oct 2025 16:58:39 +0200 Subject: [PATCH] bpf: clat: fix error handling for IPv6 packets There are 3 possible results from clat_translate_v6(): 1. the packet didn't match the CLAT IPv6 address and must be accepted; 2. the packet matches but it is invalid and so it must be dropped; 3. the packet matches and it is valid; clat_handle_v6() should translate the packet to IPv4; Before, the function returned TC_ACT_SHOT for both 2 and 3. Therefore, clat_handle_v6() tried to rewrite also invalid packets. Fix that by returning TC_ACT_UNSPEC for valid packets, meaning that there isn't a final verdict yet. --- src/core/bpf/clat.bpf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/core/bpf/clat.bpf.c b/src/core/bpf/clat.bpf.c index 8dc86a45f1..39349b4efb 100644 --- a/src/core/bpf/clat.bpf.c +++ b/src/core/bpf/clat.bpf.c @@ -637,6 +637,7 @@ icmp_out: *dst_hdr_out = dst_hdr; + ret = TC_ACT_UNSPEC; out: return ret; } @@ -656,10 +657,12 @@ clat_handle_v6(struct __sk_buff *skb, struct hdr_cursor *nh) int ip_offset = (nh->pos - data) & 0x1fff; ret = clat_translate_v6(skb, nh, data_end, &dst_hdr, 0); - if (ret != TC_ACT_SHOT) { + if (ret != TC_ACT_UNSPEC) { goto out; } + ret = TC_ACT_SHOT; + if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IP), 0)) goto out;