CVE-2025-22021

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: socket: Lookup orig tuple for IPv6 SNAT<br /> <br /> nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to<br /> restore the original 5-tuple in case of SNAT, to be able to find the<br /> right socket (if any). Then socket_match() can correctly check whether<br /> the socket was transparent.<br /> <br /> However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this<br /> conntrack lookup, making xt_socket fail to match on the socket when the<br /> packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6.<br /> <br /> IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as<br /> pods&amp;#39; addresses are in the fd00::/8 ULA subnet and need to be replaced<br /> with the node&amp;#39;s external address. Cilium leverages Envoy to enforce L7<br /> policies, and Envoy uses transparent sockets. Cilium inserts an iptables<br /> prerouting rule that matches on `-m socket --transparent` and redirects<br /> the packets to localhost, but it fails to match SNATed IPv6 packets due<br /> to that missing conntrack lookup.