Linux Kernel BPF Packet Scrubbing Vulnerability in Network Namespace Redirection

A vulnerability in the Linux kernel's handling of packet redirection between network namespaces has been identified. When using 'bpf_redirect_peer' to redirect packets to a device in another network namespace, the socket buffer (skb) is not properly scrubbed. This oversight can result in socket buffer information from one namespace being improperly utilized in another. For instance, this issue causes Cilium to incorrectly drop traffic when packets, having just undergone IPsec decryption, are redirected to a container namespace. The vulnerability arises because the XFRM (IPsec) policies in the container's network namespace do not align with the host's XFRM state used for decryption, leading to unexpected packet drops.

Impact

The vulnerability causes packets to be dropped in container network namespaces when redirected from the host, disrupting expected traffic flow, especially for applications like Cilium that rely on proper packet handling across namespaces.

Reproduction

To reproduce this vulnerability, redirect a packet that has just been decrypted by IPsec from the host's network namespace to a container's network namespace using 'bpf_redirect_peer'. The packet will be dropped in the container namespace due to the absence of a matching XFRM policy, highlighting the lack of proper packet scrubbing during the redirection.

Remediation

The vulnerability has been addressed in the Linux kernel by implementing a packet scrubbing mechanism when using 'bpf_redirect_peer', similar to the handling on typical netns switches via veth devices.