| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220216152842.GA20500@breakpoint.cc>
Date: Wed, 16 Feb 2022 16:28:42 +0100
From: Florian Westphal <fw@...len.de>
To: Gal Pressman <gal@...dia.com>
Cc: Pablo Neira Ayuso <pablo@...filter.org>,
netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, kuba@...nel.org, kevmitch@...sta.com
Subject: Re: [PATCH net-next 01/14] netfilter: conntrack: mark UDP zero
checksum as CHECKSUM_UNNECESSARY
Gal Pressman <gal@...dia.com> wrote:
[ CC patch author ]
> > The udp_error function verifies the checksum of incoming UDP packets if
> > one is set. This has the desirable side effect of setting skb->ip_summed
> > to CHECKSUM_COMPLETE, signalling that this verification need not be
> > repeated further up the stack.
> >
> > Conversely, when the UDP checksum is empty, which is perfectly legal (at least
> > inside IPv4), udp_error previously left no trace that the checksum had been
> > deemed acceptable.
> >
> > This was a problem in particular for nf_reject_ipv4, which verifies the
> > checksum in nf_send_unreach() before sending ICMP_DEST_UNREACH. It makes
> > no accommodation for zero UDP checksums unless they are already marked
> > as CHECKSUM_UNNECESSARY.
> >
> > This commit ensures packets with empty UDP checksum are marked as
> > CHECKSUM_UNNECESSARY, which is explicitly recommended in skbuff.h.
> >
> > Signed-off-by: Kevin Mitchell <kevmitch@...sta.com>
> > Acked-by: Florian Westphal <fw@...len.de>
> > Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> > ---
> > net/netfilter/nf_conntrack_proto_udp.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
> > index 3b516cffc779..12f793d8fe0c 100644
> > --- a/net/netfilter/nf_conntrack_proto_udp.c
> > +++ b/net/netfilter/nf_conntrack_proto_udp.c
> > @@ -63,8 +63,10 @@ static bool udp_error(struct sk_buff *skb,
> > }
> >
> > /* Packet with no checksum */
> > - if (!hdr->check)
> > + if (!hdr->check) {
> > + skb->ip_summed = CHECKSUM_UNNECESSARY;
> > return false;
> > + }
> >
> > /* Checksum invalid? Ignore.
> > * We skip checking packets on the outgoing path
>
> Hey,
>
> I think this patch broke geneve tunnels, or possibly all udp tunnels?
>
> A simple test that creates two geneve tunnels and runs tcp iperf fails
> and results in checksum errors (TcpInCsumErrors).
>
> Any idea how to solve that? Maybe 'skb->csum_level' needs some adjustments?
Probably better to revert and patch nf_reject instead to
handle 0 udp csum?
Powered by blists - more mailing lists