From: "Mika Penttilä" <mika.penttila@kolumbus.fi>
To: James Morris <jmorris@redhat.com>
Cc: "David S. Miller" <davem@redhat.com>,
Harald Welte <laforge@netfilter.org>,
netdev@oss.sgi.com, Stephen Smalley <sds@epoch.ncsc.mil>
Subject: Re: [PATCH] Fix checksum bug for multicast/broadcast packets on postrouting hook
Date: Sat, 14 Feb 2004 21:07:14 +0200 [thread overview]
Message-ID: <402E71E2.1040508@kolumbus.fi> (raw)
In-Reply-To: <Xine.LNX.4.44.0402141318490.6128-100000@thoron.boston.redhat.com>
James Morris wrote:
>This patch fixes a bug with with multicast/broadcast packets,
>Netfilter, and NICs which do hardware checksums.
>
>Outgoing multicast and broadcast packets are cloned prior to being fed
>into the postrouting hook and looped back. A problem is caused when the
>shared packet data is modified by the netfilter core code when updating
>the checksum, but the skb->ip_summed field in the header of the original
>skb is not updated. The NIC then tries to do a hardware checksum on an
>already correct checksum, and we end up transmitting the wrong thing.
>
>This bug stops things like DHCP from working, and was noted under SELinux
>which uses the postrouting hook alone.
>
>The proposed solution below is to copy the skb rather than clone it, to
>ensure that the original and looped back packets are independent.
>
>Please review.
>
>(A similar problem seems to exist in the IPv6 code, although not
>verified yet).
>
>
>- James
>
This is unneeded overhead for the common case. The right fix is to make
sure the modifier (netfilter etc) makes the copy if needed. Actually,
this is what skb_ip_make_writable() is doing.
--Mika
next prev parent reply other threads:[~2004-02-14 19:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-14 18:37 [PATCH] Fix checksum bug for multicast/broadcast packets on postrouting hook James Morris
2004-02-14 18:37 ` Harald Welte
2004-02-14 19:07 ` Mika Penttilä [this message]
2004-02-14 23:00 ` David S. Miller
2004-02-15 6:09 ` James Morris
2004-02-15 9:34 ` Mika Penttilä
2004-02-15 13:03 ` James Morris
2004-02-15 13:40 ` Mika Penttilä
2004-02-15 14:03 ` James Morris
2004-02-15 16:00 ` Mika Penttilä
2004-02-16 1:50 ` James Morris
2004-02-16 6:43 ` Mika Penttilä
2004-02-16 13:45 ` James Morris
2004-02-19 1:24 ` David S. Miller
2004-02-23 22:19 ` James Morris
2004-02-29 5:50 ` David S. Miller
2004-02-17 15:54 ` Harald Welte
2004-02-17 20:35 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=402E71E2.1040508@kolumbus.fi \
--to=mika.penttila@kolumbus.fi \
--cc=davem@redhat.com \
--cc=jmorris@redhat.com \
--cc=laforge@netfilter.org \
--cc=netdev@oss.sgi.com \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.