* [PATCH] netfilter: flowtable: fix tcp and udp header checksum update
@ 2021-02-02 17:01 sven.auhagen
2021-02-02 23:29 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: sven.auhagen @ 2021-02-02 17:01 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo
From: Sven Auhagen <sven.auhagen@voleatech.de>
When updating the tcp or udp header checksum on port nat
the function inet_proto_csum_replace2 with the last parameter
pseudohdr as true.
This leads to an error in the case that GRO is used and packets
are split up in GSO.
The tcp or udp checksum of all packets is incorrect.
The error is probably masked due to the fact the most network driver
implement tcp/udp checksum offloading.
It also only happens when GRO is applied and not on single packets.
The error is most visible when using a pppoe connection which is not
triggering the tcp/udp checksum offload.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 513f78db3cb2..4a4acbba78ff 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -399,7 +399,7 @@ static int nf_flow_nat_port_tcp(struct sk_buff *skb, unsigned int thoff,
return -1;
tcph = (void *)(skb_network_header(skb) + thoff);
- inet_proto_csum_replace2(&tcph->check, skb, port, new_port, true);
+ inet_proto_csum_replace2(&tcph->check, skb, port, new_port, false);
return 0;
}
@@ -415,7 +415,7 @@ static int nf_flow_nat_port_udp(struct sk_buff *skb, unsigned int thoff,
udph = (void *)(skb_network_header(skb) + thoff);
if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {
inet_proto_csum_replace2(&udph->check, skb, port,
- new_port, true);
+ new_port, false);
if (!udph->check)
udph->check = CSUM_MANGLED_0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] netfilter: flowtable: fix tcp and udp header checksum update
2021-02-02 17:01 [PATCH] netfilter: flowtable: fix tcp and udp header checksum update sven.auhagen
@ 2021-02-02 23:29 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-02-02 23:29 UTC (permalink / raw)
To: sven.auhagen; +Cc: netfilter-devel
Hi Sven,
On Tue, Feb 02, 2021 at 06:01:16PM +0100, sven.auhagen@voleatech.de wrote:
> From: Sven Auhagen <sven.auhagen@voleatech.de>
>
> When updating the tcp or udp header checksum on port nat
> the function inet_proto_csum_replace2 with the last parameter
> pseudohdr as true.
> This leads to an error in the case that GRO is used and packets
> are split up in GSO.
> The tcp or udp checksum of all packets is incorrect.
>
> The error is probably masked due to the fact the most network driver
> implement tcp/udp checksum offloading.
> It also only happens when GRO is applied and not on single packets.
>
> The error is most visible when using a pppoe connection which is not
> triggering the tcp/udp checksum offload.
Good catch.
I'll apply this patch to nf.git.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-02 23:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-02 17:01 [PATCH] netfilter: flowtable: fix tcp and udp header checksum update sven.auhagen
2021-02-02 23:29 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).