| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Apr 2016 13:59:31 -0700 From: Ben Greear <greearb@...delatech.com> To: Tom Herbert <tom@...bertland.com> CC: Ben Hutchings <ben@...adent.org.uk>, Sabrina Dubroca <sd@...asysnail.net>, Hannes Frederic Sowa <hannes@...essinduktion.org>, LKML <linux-kernel@...r.kernel.org>, stable@...r.kernel.org, akpm@...ux-foundation.org, "David S. Miller" <davem@...emloft.net>, Vijay Pandurangan <vijayp@...ayp.ca>, Cong Wang <cwang@...pensource.com>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Evan Jones <ej@...njones.ca>, Nicolas Dichtel <nicolas.dichtel@...nd.com>, Phil Sutter <phil@....cc>, Toshiaki Makita <makita.toshiaki@....ntt.co.jp>, Cong Wang <xiyou.wangcong@...il.com> Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. On 04/30/2016 12:54 PM, Tom Herbert wrote: > We've put considerable effort into cleaning up the checksum interface > to make it as unambiguous as possible, please be very careful to > follow it. Broken checksum processing is really hard to detect and > debug. > > CHECKSUM_UNNECESSARY means that some number of _specific_ checksums > (indicated by csum_level) have been verified to be correct in a > packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is > never right. If CHECKSUM_UNNECESSARY is set in such a manner but the > checksum it would refer to has not been verified and is incorrect this > is a major bug. Suppose I know that the packet received on a packet-socket has already been verified by a NIC that supports hardware checksumming. Then, I want to transmit it on a veth interface using a second packet socket. I do not want veth to recalculate the checksum on transmit, nor to validate it on the peer veth on receive, because I do not want to waste the CPU cycles. I am assuming that my app is not accidentally corrupting frames, so the checksum can never be bad. How should the checksumming be configured for the packets going into the packet-socket from user-space? Also, I might want to send raw frames that do have broken checksums (lets assume a real NIC, not veth), and I want them to hit the wire with those bad checksums. How do I configure the checksumming in this case? Thanks, Ben > > Tom > > On Sat, Apr 30, 2016 at 12:40 PM, Ben Greear <greearb@...delatech.com> wrote: >> >> >> On 04/30/2016 11:33 AM, Ben Hutchings wrote: >>> >>> On Thu, 2016-04-28 at 12:29 +0200, Sabrina Dubroca wrote: >>>> >>>> Hello, >> >> >>>>> >>>>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a >>>> >>>> Actually, no, this is not really a regression. >>> >>> [...] >>> >>> It really is. Even though the old behaviour was a bug (raw packets >>> should not be changed), if there are real applications that depend on >>> that then we have to keep those applications working somehow. >> >> >> To be honest, I fail to see why the old behaviour is a bug when sending >> raw packets from user-space. If raw packets should not be changed, then >> we need some way to specify what the checksum setting is to begin with, >> otherwise, user-space has not enough control. >> >> A socket option for new programs, and sysctl configurable defaults for raw >> sockets >> for old binary programs would be sufficient I think. >> >> >> Thanks, >> Ben >> >> -- >> Ben Greear <greearb@...delatech.com> >> Candela Technologies Inc http://www.candelatech.com > -- Ben Greear <greearb@...delatech.com> Candela Technologies Inc http://www.candelatech.com
Powered by blists - more mailing lists