From: Florian Westphal <fw@strlen.de>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: Xin Long <lucien.xin@gmail.com>,
network dev <netdev@vger.kernel.org>,
netfilter-devel@vger.kernel.org,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
pablo@netfilter.org, fw@strlen.de
Subject: Re: [PATCH net] netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
Date: Wed, 13 Mar 2019 12:59:48 +0100 [thread overview]
Message-ID: <20190313115948.zhnov5ze6rdttm7k@breakpoint.cc> (raw)
In-Reply-To: <20190313113333.GB16434@hmswarspite.think-freely.org>
Neil Horman <nhorman@tuxdriver.com> wrote:
> On Wed, Mar 13, 2019 at 04:33:29PM +0800, Xin Long wrote:
> > Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
> > skb->transport_header has been always set before entering INET
> > netfilter. This patch is to set skb->transport_header for bridge
> > before entering INET netfilter by bridge-nf-call-iptables.
> >
> > It also fixes an issue that sctp_error() couldn't compute a right
> > csum due to unset skb->transport_header.
> >
> > Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code")
> > Reported-by: Li Shuang <shuali@redhat.com>
> > Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > ---
> > net/bridge/br_netfilter_hooks.c | 1 +
> > net/bridge/br_netfilter_ipv6.c | 2 ++
> > 2 files changed, 3 insertions(+)
> >
> > diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> > index c93c35b..4d09a33 100644
> > --- a/net/bridge/br_netfilter_hooks.c
> > +++ b/net/bridge/br_netfilter_hooks.c
> > @@ -502,6 +502,7 @@ static unsigned int br_nf_pre_routing(void *priv,
> > nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
> >
> > skb->protocol = htons(ETH_P_IP);
> > + skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
> >
> > NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
> > skb->dev, NULL,
> > diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
> > index 564710f..e88d664 100644
> > --- a/net/bridge/br_netfilter_ipv6.c
> > +++ b/net/bridge/br_netfilter_ipv6.c
> > @@ -235,6 +235,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
> > nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
> >
> > skb->protocol = htons(ETH_P_IPV6);
> > + skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
> > +
> > NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
> > skb->dev, NULL,
> > br_nf_pre_routing_finish_ipv6);
> > --
> > 2.1.0
> >
> >
> Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Florian Westphal <fw@strlen.de>
... because this fixes discrepancy of normal stack vs. bridge path.
However, I think we still need a fix for the ipv6 case as
there is no guarantee ipv6 nexthdr will be the sctp one.
We already pass the sctp offset as argument to sctp_compute_cksum(),
why can't we just replace sctp_hdr(skb) with skb->data + dataoff, as
Xin Long originally suggested?
IOW, whats the problem with
https://marc.info/?l=linux-netdev&m=155109395226858&w=2 ?
(In theory conntrack can also inspect transport header inside icmp error
messages like pkttoobig and so on,
although this won't be the case here as we can't validate csum anyway
if the packet isn't complete).
Just pointing out that we can't rely on skb transport header being
"correct" in all cases from netfilter point of view.
next prev parent reply other threads:[~2019-03-13 11:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 8:33 [PATCH net] netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING Xin Long
2019-03-13 11:33 ` Neil Horman
2019-03-13 11:59 ` Florian Westphal [this message]
2019-03-14 14:19 ` Pablo Neira Ayuso
2019-03-14 14:41 ` Xin Long
2019-03-15 11:09 ` Neil Horman
2019-03-15 13:39 ` Xin Long
2019-03-18 15:22 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190313115948.zhnov5ze6rdttm7k@breakpoint.cc \
--to=fw@strlen.de \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).