RE: [netfilter]: Fix skb->csum calculation when netfilter

From: Praveen Chaudhary
Date: Thu Oct 24 2019 - 01:20:41 EST

Next message: james qian wang (Arm Technology China): "Re: [RFC,3/3] drm/komeda: Allow non-component drm_bridge only endpoints"
Previous message: Paul Burton: "Re: [PATCH] MIPS: include: remove unsued header file asm/sgi/sgi.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Florian

Thanks for giving time for review. This fix is pretty important for SONiC OS (https://azure.github.io/SONiC/). So I really appreciate it.

>> inet_proto_csum_replace16 is called from many places, whereas this fix is
>> applicable only for nf_nat_ipv6_csum_update. where we need to update
>> skb->csum for ipv6 src/dst address change.
>
>Under which circumstances does inet_proto_csum_replace16 upate
>skb->csum correctly?

inet_proto_csum_replace16 calculates skb->csum correctly if skb->csum does not include 16-bit sum of IPv6 Header i.e skb->data points to UDP\TCP\ICMPv6 header while calling __skb_checksum_complete() on packet. Function inet_proto_csum_replace16 is called from nf_nat_ipv6_csum_update(), nf_flow_nat_ipv6_tcp(), nf_flow_nat_ipv6_udp() and update_ipv6_checksum(). For all nf_*() functions, inet_proto_csum_replace16() will not update skb->csum correctly\completely.
But I am not sure about update_ipv6_checksum() (in net/openvswitch/actions.c). This is where I seek help from experts. If even for update_ipv6_checksum(), skb->csum includes 16-bit sum of IPv6 Header then inet_proto_csum_replace16() does updates skb->csum correctly. Then our fix will be to remove below line from this function. Because change in UDP\TCP\ICMPv6 header checksum field and change in IPv6 SRC\DST address cancels each other for checksum calculation, i.e. no update to skb->csum is needed.
```
if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
skb->csum = ~csum_partial(diff, sizeof(diff),
~skb->csum);
```
>
>> So, I added a new function. Basically, I used a safe approach to fix it,
>> without impacting other cases. Let me know other options, I am open to
>> suggestions.
>
>You seem to imply inet_proto_csum_replace16 is fine and only broken for ipv6
>nat.

Yeah, as mentioned above, I took safe approach to fix only nf_nat_ipv6_csum_update() part, where I am sure that skb->csum is broken. But I am not sure if (net/openvswitch/actions.c) needs this fix or not. Consider this my lack of expertise, So kindly suggest whether net/openvswitch/actions.c needs this fix or not. Note: I may not be able to test this part. After your suggestion, I will change my patch. Again Thanks for your time.

Next message: james qian wang (Arm Technology China): "Re: [RFC,3/3] drm/komeda: Allow non-component drm_bridge only endpoints"
Previous message: Paul Burton: "Re: [PATCH] MIPS: include: remove unsued header file asm/sgi/sgi.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]