| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170824105118.GA15739@breakpoint.cc>
Date: Thu, 24 Aug 2017 12:51:18 +0200
From: Florian Westphal <fw@...len.de>
To: Michal Kubecek <mkubecek@...e.cz>
Cc: Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
Florian Westphal <fw@...len.de>,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
"Michael S. Tsirkin" <mst@...hat.com>,
Markos Chandras <markos.chandras@...e.com>
Subject: Re: [PATCH nf-next] netfilter: xt_CHECKSUM: avoid bad offload
warnings on GSO packets
Michal Kubecek <mkubecek@...e.cz> wrote:
> When --checksum_fill action is applied to a GSO packet, checksum_tg() calls
> skb_checksum_help() which is only meant to be applied to non-GSO packets so
> that it issues a warning.
>
> This can be easily triggered by using e.g.
>
> iptables -t mangle -A OUTPUT -j CHECKSUM --checksum-fill
>
> and sending TCP stream via a device with GSO enabled.
>
> While this can be considered a misconfiguration, I believe the bad offload
> warning is supposed to catch bugs in drivers and networking stack, not
> misconfigured firewalls. So let's ignore such packets and only issue a one
> time warning with pr_warn_once() rather than a WARN with stack trace and
> tainted kernel.
Why issue a warning at all?
What kind of action should be taken upon seeing such warning?
Powered by blists - more mailing lists