lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Feb 2022 17:04:40 +0100 From: Pablo Neira Ayuso <pablo@...filter.org> To: Florian Westphal <fw@...len.de> Cc: Gal Pressman <gal@...dia.com>, netfilter-devel@...r.kernel.org, davem@...emloft.net, netdev@...r.kernel.org, kuba@...nel.org, kevmitch@...sta.com Subject: Re: [PATCH net-next 01/14] netfilter: conntrack: mark UDP zero checksum as CHECKSUM_UNNECESSARY On Wed, Feb 16, 2022 at 04:28:42PM +0100, Florian Westphal wrote: > Gal Pressman <gal@...dia.com> wrote: > > [ CC patch author ] > > > > The udp_error function verifies the checksum of incoming UDP packets if > > > one is set. This has the desirable side effect of setting skb->ip_summed > > > to CHECKSUM_COMPLETE, signalling that this verification need not be > > > repeated further up the stack. > > > > > > Conversely, when the UDP checksum is empty, which is perfectly legal (at least > > > inside IPv4), udp_error previously left no trace that the checksum had been > > > deemed acceptable. > > > > > > This was a problem in particular for nf_reject_ipv4, which verifies the > > > checksum in nf_send_unreach() before sending ICMP_DEST_UNREACH. It makes > > > no accommodation for zero UDP checksums unless they are already marked > > > as CHECKSUM_UNNECESSARY. > > > > > > This commit ensures packets with empty UDP checksum are marked as > > > CHECKSUM_UNNECESSARY, which is explicitly recommended in skbuff.h. > > > > > > Signed-off-by: Kevin Mitchell <kevmitch@...sta.com> > > > Acked-by: Florian Westphal <fw@...len.de> > > > Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org> > > > --- > > > net/netfilter/nf_conntrack_proto_udp.c | 4 +++- > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c > > > index 3b516cffc779..12f793d8fe0c 100644 > > > --- a/net/netfilter/nf_conntrack_proto_udp.c > > > +++ b/net/netfilter/nf_conntrack_proto_udp.c > > > @@ -63,8 +63,10 @@ static bool udp_error(struct sk_buff *skb, > > > } > > > > > > /* Packet with no checksum */ > > > - if (!hdr->check) > > > + if (!hdr->check) { > > > + skb->ip_summed = CHECKSUM_UNNECESSARY; > > > return false; > > > + } > > > > > > /* Checksum invalid? Ignore. > > > * We skip checking packets on the outgoing path > > > > Hey, > > > > I think this patch broke geneve tunnels, or possibly all udp tunnels? > > > > A simple test that creates two geneve tunnels and runs tcp iperf fails > > and results in checksum errors (TcpInCsumErrors). > > > > Any idea how to solve that? Maybe 'skb->csum_level' needs some adjustments? > > Probably better to revert and patch nf_reject instead to > handle 0 udp csum? Agreed.
Powered by blists - more mailing lists