| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Jul 2009 18:30:29 -0700 (PDT) From: David Miller <davem@...emloft.net> To: herbert@...dor.apana.org.au Cc: christophe@...ut.de, netdev@...r.kernel.org Subject: Re: [RFC] Fixing up TCP/UDP checksum for UDP encap. ESP4 packets in transport mode From: Herbert Xu <herbert@...dor.apana.org.au> Date: Tue, 30 Jun 2009 22:08:35 +0800 > On Tue, Jun 30, 2009 at 03:00:36PM +0800, Herbert Xu wrote: >> >> Now as to the technical problem of how to recompute the checksums >> cleanly, may I draw your attention to gso_send_checksum which does >> exactly what you want. > > Something like this untested patch. Note that I still think this > is totally wrong (see the patch description for an explanation). > Perhaps a better way to do this is to write a netfilter module to > fix up checksums on egress. That way it would be even more explicit > that you should do the checksum verification on the opposite end > as well. > > The real solution is to get natoa, or even better, ditch transport > mode if you're doing NAT. Ugly solution or not I don't like this patch because it requires userspace to set this new attribute just to get correct checksums. Can't we just detect the "came through remote peer" situation and just do the checksum fixup in that case? Anything that doesn't require use changes, and as you've implemented it the user change is only possible with netlink IPSEC users. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists