From: Florian Westphal <fw@strlen.de>
To: Gal Pressman <gal@nvidia.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, kuba@kernel.org, kevmitch@arista.com
Subject: Re: [PATCH net-next 01/14] netfilter: conntrack: mark UDP zero checksum as CHECKSUM_UNNECESSARY
Date: Wed, 16 Feb 2022 16:28:42 +0100 [thread overview]
Message-ID: <20220216152842.GA20500@breakpoint.cc> (raw)
In-Reply-To: <7eed8111-42d7-63e1-d289-346a596fc933@nvidia.com>
Gal Pressman <gal@nvidia.com> wrote:
[ CC patch author ]
> > The udp_error function verifies the checksum of incoming UDP packets if
> > one is set. This has the desirable side effect of setting skb->ip_summed
> > to CHECKSUM_COMPLETE, signalling that this verification need not be
> > repeated further up the stack.
> >
> > Conversely, when the UDP checksum is empty, which is perfectly legal (at least
> > inside IPv4), udp_error previously left no trace that the checksum had been
> > deemed acceptable.
> >
> > This was a problem in particular for nf_reject_ipv4, which verifies the
> > checksum in nf_send_unreach() before sending ICMP_DEST_UNREACH. It makes
> > no accommodation for zero UDP checksums unless they are already marked
> > as CHECKSUM_UNNECESSARY.
> >
> > This commit ensures packets with empty UDP checksum are marked as
> > CHECKSUM_UNNECESSARY, which is explicitly recommended in skbuff.h.
> >
> > Signed-off-by: Kevin Mitchell <kevmitch@arista.com>
> > Acked-by: Florian Westphal <fw@strlen.de>
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > ---
> > net/netfilter/nf_conntrack_proto_udp.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
> > index 3b516cffc779..12f793d8fe0c 100644
> > --- a/net/netfilter/nf_conntrack_proto_udp.c
> > +++ b/net/netfilter/nf_conntrack_proto_udp.c
> > @@ -63,8 +63,10 @@ static bool udp_error(struct sk_buff *skb,
> > }
> >
> > /* Packet with no checksum */
> > - if (!hdr->check)
> > + if (!hdr->check) {
> > + skb->ip_summed = CHECKSUM_UNNECESSARY;
> > return false;
> > + }
> >
> > /* Checksum invalid? Ignore.
> > * We skip checking packets on the outgoing path
>
> Hey,
>
> I think this patch broke geneve tunnels, or possibly all udp tunnels?
>
> A simple test that creates two geneve tunnels and runs tcp iperf fails
> and results in checksum errors (TcpInCsumErrors).
>
> Any idea how to solve that? Maybe 'skb->csum_level' needs some adjustments?
Probably better to revert and patch nf_reject instead to
handle 0 udp csum?
next prev parent reply other threads:[~2022-02-16 15:28 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 13:36 [PATCH net-next 00/14] Netfilter updates for net-next Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 01/14] netfilter: conntrack: mark UDP zero checksum as CHECKSUM_UNNECESSARY Pablo Neira Ayuso
2022-02-10 5:50 ` patchwork-bot+netdevbpf
2022-02-16 14:10 ` Gal Pressman
2022-02-16 15:28 ` Florian Westphal [this message]
2022-02-16 16:04 ` Pablo Neira Ayuso
2022-02-16 18:52 ` Gal Pressman
2022-02-16 19:26 ` Florian Westphal
2022-02-09 13:36 ` [PATCH net-next 02/14] netfilter: nfqueue: enable to get skb->priority Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 03/14] netfilter: conntrack: make all extensions 8-byte alignned Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 04/14] netfilter: conntrack: move extension sizes into core Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 05/14] netfilter: conntrack: handle ->destroy hook via nat_ops instead Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 06/14] netfilter: conntrack: remove extension register api Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 07/14] netfilter: conntrack: pptp: use single option structure Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 08/14] netfilter: exthdr: add support for tcp option removal Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 09/14] netfilter: nft_compat: suppress comment match Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 10/14] netfilter: ecache: don't use nf_conn spinlock Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 11/14] netfilter: cttimeout: use option structure Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 12/14] netfilter: nft_cmp: optimize comparison for 16-bytes Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 13/14] nfqueue: enable to set skb->priority Pablo Neira Ayuso
2022-02-09 13:36 ` [PATCH net-next 14/14] netfilter: ctnetlink: use dump structure instead of raw args Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220216152842.GA20500@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=gal@nvidia.com \
--cc=kevmitch@arista.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.