From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 02/65] netfilter: xt_checksum: ignore gso skbs
Date: Mon, 1 Oct 2018 00:38:03 +0000 [thread overview]
Message-ID: <20181001003754.146961-2-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20181001003754.146961-1-alexander.levin@microsoft.com>
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 10568f6c5761db24249c610c94d6e44d5505a0ba ]
Satish Patel reports a skb_warn_bad_offload() splat caused
by -j CHECKSUM rules:
-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
The CHECKSUM target has never worked with GSO skbs, and the above rule
makes no sense as kernel will handle checksum updates on transmit.
Unfortunately, there are 3rd party tools that install such rules, so we
cannot reject this from the config plane without potential breakage.
Amend Kconfig text to clarify that the CHECKSUM target is only useful
in virtualized environments, where old dhcp clients that use AF_PACKET
used to discard UDP packets with a 'bad' header checksum and add a
one-time warning in case such rule isn't restricted to UDP.
v2: check IP6T_F_PROTO flag before cmp (Michal Kubecek)
Reported-by: Satish Patel <satish.txt@gmail.com>
Reported-by: Markos Chandras <markos.chandras@suse.com>
Reported-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
net/netfilter/Kconfig | 12 ++++++------
net/netfilter/xt_CHECKSUM.c | 22 +++++++++++++++++++++-
2 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index f0a1c536ef15..e6d5c87f0d96 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -740,13 +740,13 @@ config NETFILTER_XT_TARGET_CHECKSUM
depends on NETFILTER_ADVANCED
---help---
This option adds a `CHECKSUM' target, which can be used in the iptables mangle
- table.
+ table to work around buggy DHCP clients in virtualized environments.
- You can use this target to compute and fill in the checksum in
- a packet that lacks a checksum. This is particularly useful,
- if you need to work around old applications such as dhcp clients,
- that do not work well with checksum offloads, but don't want to disable
- checksum offload in your device.
+ Some old DHCP clients drop packets because they are not aware
+ that the checksum would normally be offloaded to hardware and
+ thus should be considered valid.
+ This target can be used to fill in the checksum using iptables
+ when such packets are sent via a virtual network device.
To compile it as a module, choose M here. If unsure, say N.
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 9f4151ec3e06..6c7aa6a0a0d2 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -16,6 +16,9 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CHECKSUM.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
MODULE_DESCRIPTION("Xtables: checksum modification");
@@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM");
static unsigned int
checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
- if (skb->ip_summed == CHECKSUM_PARTIAL)
+ if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb))
skb_checksum_help(skb);
return XT_CONTINUE;
@@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
static int checksum_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_CHECKSUM_info *einfo = par->targinfo;
+ const struct ip6t_ip6 *i6 = par->entryinfo;
+ const struct ipt_ip *i4 = par->entryinfo;
if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
@@ -43,6 +48,21 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
if (!einfo->operation)
return -EINVAL;
+ switch (par->family) {
+ case NFPROTO_IPV4:
+ if (i4->proto == IPPROTO_UDP &&
+ (i4->invflags & XT_INV_PROTO) == 0)
+ return 0;
+ break;
+ case NFPROTO_IPV6:
+ if ((i6->flags & IP6T_F_PROTO) &&
+ i6->proto == IPPROTO_UDP &&
+ (i6->invflags & XT_INV_PROTO) == 0)
+ return 0;
+ break;
+ }
+
+ pr_warn_once("CHECKSUM should be avoided. If really needed, restrict with \"-p udp\" and only use in OUTPUT\n");
return 0;
}
--
2.17.1
next prev parent reply other threads:[~2018-10-01 0:38 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-01 0:38 [PATCH AUTOSEL 4.18 01/65] netfilter: xt_cluster: add dependency on conntrack module Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 03/65] HID: intel-ish-hid: Enable Sunrise Point-H ish driver Sasha Levin
2018-10-01 0:38 ` Sasha Levin [this message]
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 04/65] HID: add support for Apple Magic Keyboards Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 05/65] usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 06/65] pinctrl: msm: Really mask level interrupts to prevent latching Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 07/65] HID: hid-saitek: Add device ID for RAT 7 Contagion Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 08/65] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 09/65] scsi: iscsi: target: Fix conn_ops double free Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 10/65] scsi: qedi: Add the CRC size within iSCSI NVM image Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 11/65] perf annotate: Properly interpret indirect call Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 12/65] perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 13/65] perf util: Fix bad memory access in trace info Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 14/65] perf probe powerpc: Ignore SyS symbols irrespective of endianness Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 16/65] netfilter: kconfig: nat related expression depend on nftables core Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 15/65] perf annotate: Fix parsing aarch64 branch instructions after objdump update Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 17/65] netfilter: nf_tables: release chain in flushing set Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 19/65] iio: imu: st_lsm6dsx: take into account ts samples in wm configuration Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 18/65] Revert "iio: temperature: maxim_thermocouple: add MAX31856 part" Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 20/65] RDMA/ucma: check fd type in ucma_migrate_id() Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 21/65] riscv: Do not overwrite initrd_start and initrd_end Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 22/65] HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 24/65] USB: yurex: Check for truncation in yurex_read() Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 23/65] usb: host: xhci-plat: Iterate over parent nodes for finding quirks Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 26/65] bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 25/65] nvmet-rdma: fix possible bogus dereference under heavy load Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 27/65] net/mlx5: Consider PCI domain in search for next dev Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 28/65] HID: i2c-hid: Don't reset device upon system resume Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 29/65] dm raid: fix reshape race on small devices Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 31/65] drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 30/65] drm/nouveau: fix oops in client init failure path Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 32/65] drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 33/65] drm/nouveau/disp: fix DP disable race Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 34/65] drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 35/65] dm raid: fix stripe adding reshape deadlock Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 37/65] dm raid: fix RAID leg rebuild errors Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 36/65] dm raid: fix rebuild of specific devices by updating superblock Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 38/65] r8169: set TxConfig register after TX / RX is enabled, just like RxConfig Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 39/65] fs/cifs: suppress a string overflow warning Sasha Levin
2018-10-01 1:22 ` Stephen Rothwell
2018-10-01 23:48 ` Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 40/65] net: ena: fix surprise unplug NULL dereference kernel crash Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 42/65] net: ena: fix device destruction to gracefully free resources Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 41/65] net: ena: fix driver when PAGE_SIZE == 64kB Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 44/65] net: ena: fix missing lock during device destruction Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 43/65] net: ena: fix potential double ena_destroy_device() Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 45/65] net: ena: fix missing calls to READ_ONCE Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 46/65] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 47/65] sched/topology: Set correct NUMA topology type Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 49/65] netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 48/65] dm thin metadata: try to avoid ever aborting transactions Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 50/65] netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 51/65] netfilter: xt_hashlimit: use s->file instead of s->private Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 52/65] arch/hexagon: fix kernel/dma.c build warning Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 54/65] drm/amdgpu: Fix SDMA hang in prt mode v2 Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 53/65] hexagon: modify ffs() and fls() to return int Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 55/65] arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 56/65] drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 57/65] r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 59/65] s390/qeth: don't dump past end of unknown HW header Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 58/65] s390/qeth: use vzalloc for QUERY OAT buffer Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 60/65] cifs: read overflow in is_valid_oplock_break() Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 61/65] asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP && CONFIG_INDIRECT_PIO Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 62/65] xen/manage: don't complain about an empty value in control/sysrq node Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 64/65] xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 63/65] xen: avoid crash in disable_hotplug_cpu Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.18 65/65] x86/APM: Fix build warning when PROC_FS is not enabled Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181001003754.146961-2-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox