[PATCH] netfilter: skip checksum verification for outgoing rejected ipv6 packets

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfilter: skip checksum verification for outgoing rejected ipv6 packets
@ 2013-10-22  8:36 Stanislav Fomichev
  2013-10-22 10:55 ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Stanislav Fomichev @ 2013-10-22  8:36 UTC (permalink / raw)
  To: netfilter-devel; +Cc: pablo, kaber, kadlec

Don't verify checksum for outgoing packets because checksum calculation
may be done by the device.

Without this patch:
$ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
$ time telnet ipv6.google.com 80
Trying 2a00:1450:4010:c03::67...
telnet: Unable to connect to remote host: Connection timed out

real    0m7.201s
user    0m0.000s
sys     0m0.000s

With the patch applied:
$ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
$ time telnet ipv6.google.com 80
Trying 2a00:1450:4010:c03::67...
telnet: Unable to connect to remote host: Connection refused

real    0m0.085s
user    0m0.000s
sys     0m0.000s

Signed-off-by: Stanislav Fomichev <stfomichev@yandex-team.ru>
---
 net/ipv6/netfilter/ip6t_REJECT.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 56eef30ee5f6..3ef2b834bca3 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -39,7 +39,7 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
 MODULE_LICENSE("GPL");
 
 /* Send RST reply */
-static void send_reset(struct net *net, struct sk_buff *oldskb)
+static void send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 {
 	struct sk_buff *nskb;
 	struct tcphdr otcph, *tcph;
@@ -88,8 +88,10 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
 	}
 
 	/* Check checksum. */
-	if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
+	if (hook != NF_INET_LOCAL_OUT &&
+	    csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
 			    skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+
 		pr_debug("TCP checksum is invalid\n");
 		return;
 	}
@@ -227,7 +229,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		/* Do nothing */
 		break;
 	case IP6T_TCP_RESET:
-		send_reset(net, skb);
+		send_reset(net, skb, par->hooknum);
 		break;
 	default:
 		net_info_ratelimited("case %u not handled yet\n", reject->with);
-- 
1.8.1.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] netfilter: skip checksum verification for outgoing rejected ipv6 packets
  2013-10-22  8:36 [PATCH] netfilter: skip checksum verification for outgoing rejected ipv6 packets Stanislav Fomichev
@ 2013-10-22 10:55 ` Florian Westphal
  2013-10-22 12:40   ` Stanislav Fomichev
  2013-10-22 12:43   ` [PATCH v2] " Stanislav Fomichev
  0 siblings, 2 replies; 5+ messages in thread
From: Florian Westphal @ 2013-10-22 10:55 UTC (permalink / raw)
  To: Stanislav Fomichev; +Cc: netfilter-devel, pablo, kaber, kadlec

Stanislav Fomichev <stfomichev@yandex-team.ru> wrote:
>  	/* Check checksum. */
> -	if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
> +	if (hook != NF_INET_LOCAL_OUT &&
> +	    csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
>  			    skb_checksum(oldskb, tcphoff, otcplen, 0))) {

Could you try using nf_ip6_checksum() here instead of csum_ipv6_magic()?

It has the advantage that it will also skip checksumming in case inbound
packets have already been validated by hardware, etc.

Also this should do the right thing in any case (e.g. local packet
in POST_ROUTING).

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] netfilter: skip checksum verification for outgoing rejected ipv6 packets
  2013-10-22 10:55 ` Florian Westphal
@ 2013-10-22 12:40   ` Stanislav Fomichev
  2013-10-22 12:43   ` [PATCH v2] " Stanislav Fomichev
  1 sibling, 0 replies; 5+ messages in thread
From: Stanislav Fomichev @ 2013-10-22 12:40 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel, pablo, kaber, kadlec

> Could you try using nf_ip6_checksum() here instead of csum_ipv6_magic()?
Yes, it works, at least on my checksumming HW. Will resend the patch.

Thanks

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2] netfilter: skip checksum verification for outgoing rejected ipv6 packets
  2013-10-22 10:55 ` Florian Westphal
  2013-10-22 12:40   ` Stanislav Fomichev
@ 2013-10-22 12:43   ` Stanislav Fomichev
  2013-10-23  9:22     ` Pablo Neira Ayuso
  1 sibling, 1 reply; 5+ messages in thread
From: Stanislav Fomichev @ 2013-10-22 12:43 UTC (permalink / raw)
  To: netfilter-devel; +Cc: pablo, kaber, fw

Don't verify checksum for outgoing packets because checksum calculation
may be done by the device.

Without this patch:
$ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
$ time telnet ipv6.google.com 80
Trying 2a00:1450:4010:c03::67...
telnet: Unable to connect to remote host: Connection timed out

real    0m7.201s
user    0m0.000s
sys     0m0.000s

With the patch applied:
$ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
$ time telnet ipv6.google.com 80
Trying 2a00:1450:4010:c03::67...
telnet: Unable to connect to remote host: Connection refused

real    0m0.085s
user    0m0.000s
sys     0m0.000s

Signed-off-by: Stanislav Fomichev <stfomichev@yandex-team.ru>
---
 net/ipv6/netfilter/ip6t_REJECT.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 70f9abc0efe9..0bf81ef80c90 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -39,7 +39,7 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
 MODULE_LICENSE("GPL");
 
 /* Send RST reply */
-static void send_reset(struct net *net, struct sk_buff *oldskb)
+static void send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 {
 	struct sk_buff *nskb;
 	struct tcphdr otcph, *tcph;
@@ -88,8 +88,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
 	}
 
 	/* Check checksum. */
-	if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
-			    skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+	if (nf_ip6_checksum(oldskb, hook, tcphoff, IPPROTO_TCP)) {
 		pr_debug("TCP checksum is invalid\n");
 		return;
 	}
@@ -209,7 +208,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		/* Do nothing */
 		break;
 	case IP6T_TCP_RESET:
-		send_reset(net, skb);
+		send_reset(net, skb, par->hooknum);
 		break;
 	default:
 		net_info_ratelimited("case %u not handled yet\n", reject->with);
-- 
1.8.1.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] netfilter: skip checksum verification for outgoing rejected ipv6 packets
  2013-10-22 12:43   ` [PATCH v2] " Stanislav Fomichev
@ 2013-10-23  9:22     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-10-23  9:22 UTC (permalink / raw)
  To: Stanislav Fomichev; +Cc: netfilter-devel, kaber, fw

On Tue, Oct 22, 2013 at 04:43:23PM +0400, Stanislav Fomichev wrote:
> Don't verify checksum for outgoing packets because checksum calculation
> may be done by the device.
> 
> Without this patch:
> $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
> $ time telnet ipv6.google.com 80
> Trying 2a00:1450:4010:c03::67...
> telnet: Unable to connect to remote host: Connection timed out
> 
> real    0m7.201s
> user    0m0.000s
> sys     0m0.000s
> 
> With the patch applied:
> $ ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
> $ time telnet ipv6.google.com 80
> Trying 2a00:1450:4010:c03::67...
> telnet: Unable to connect to remote host: Connection refused
> 
> real    0m0.085s
> user    0m0.000s
> sys     0m0.000s

Applied to nf-next, thanks!

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-10-23  9:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-22  8:36 [PATCH] netfilter: skip checksum verification for outgoing rejected ipv6 packets Stanislav Fomichev
2013-10-22 10:55 ` Florian Westphal
2013-10-22 12:40   ` Stanislav Fomichev
2013-10-22 12:43   ` [PATCH v2] " Stanislav Fomichev
2013-10-23  9:22     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).