From patchwork Wed Aug 21 03:20:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Ruffell X-Patchwork-Id: 1150542 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46CtGm6Vkpz9s4Y; Wed, 21 Aug 2019 13:21:04 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1i0HB7-00088n-8I; Wed, 21 Aug 2019 03:20:53 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1i0HB4-00088T-1f for kernel-team@lists.ubuntu.com; Wed, 21 Aug 2019 03:20:50 +0000 Received: from mail-pf1-f198.google.com ([209.85.210.198]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1i0HB3-0000Md-Ig for kernel-team@lists.ubuntu.com; Wed, 21 Aug 2019 03:20:49 +0000 Received: by mail-pf1-f198.google.com with SMTP id g185so633159pfb.13 for ; Tue, 20 Aug 2019 20:20:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pPMq3HzcelT7Uv86Hzyr+655MKIrz501RWxZ6zggkZ8=; b=s56U1qfKqEECgQXtapBQzo4dt75k9bJUdNBUxqhs3aCBl8T0VeFzG075CD8u/jYHnJ 97ZPVfyJvhRiA5XywGoLWxixlAGA/dKqEhk48qtfrmci5EPYxMUYTiNwHEFtkjM1FZca W7DaHizXt9y70gaqTidfhz1hPTdDHeVfnMRrYp9W79OwzBb7DXHJ1q5tpMh3mOZ8MBo1 fSMN9rH6iRvuqPwdP5+/uTgSMh2/ERtCc77dCBQWpouAk0U2IFnFtz3YrYzcFB96Mt2A PMMPGMq8APfTLyyDbMDJbCKsn5pCEbDZiN9vJTGanwhzduhW1akoQK1ITx/dAwFoSP0J HESg== X-Gm-Message-State: APjAAAVnSWZbBOTg0MRX25dfJvS2RdNUUKTW3papmJI/OMXGYrjUCW57 PF5J+VZVOEasefAAfLyGx2yUTxjeioMIBibo/KkR7oxBVqB6NDLf2ca/B5gSVYuAu0ju1EkfRg9 gdf8jN6b9zboIXzh5afAi2NMxSFLNFvjxxcMIF8aPog== X-Received: by 2002:a65:6093:: with SMTP id t19mr20792807pgu.79.1566357648036; Tue, 20 Aug 2019 20:20:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqyDYUbuPWGtP4nAu/Gb2yvg089Fvz82rkZ1zjb5R8Aks9FWPu+WZCfpXIom5HACmiZGLjjY+A== X-Received: by 2002:a65:6093:: with SMTP id t19mr20792793pgu.79.1566357647766; Tue, 20 Aug 2019 20:20:47 -0700 (PDT) Received: from localhost.localdomain (125-238-115-161-fibre.sparkbb.co.nz. [125.238.115.161]) by smtp.gmail.com with ESMTPSA id m20sm22851755pff.79.2019.08.20.20.20.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Aug 2019 20:20:47 -0700 (PDT) From: Matthew Ruffell To: kernel-team@lists.ubuntu.com Subject: [SRU][Xenial][PATCH 1/1] netfilter: xt_checksum: ignore gso skbs Date: Wed, 21 Aug 2019 15:20:35 +1200 Message-Id: <20190821032035.16263-2-matthew.ruffell@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190821032035.16263-1-matthew.ruffell@canonical.com> References: <20190821032035.16263-1-matthew.ruffell@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Florian Westphal BugLink: https://bugs.launchpad.net/bugs/1840619 Satish Patel reports a skb_warn_bad_offload() splat caused by -j CHECKSUM rules: -A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM The CHECKSUM target has never worked with GSO skbs, and the above rule makes no sense as kernel will handle checksum updates on transmit. Unfortunately, there are 3rd party tools that install such rules, so we cannot reject this from the config plane without potential breakage. Amend Kconfig text to clarify that the CHECKSUM target is only useful in virtualized environments, where old dhcp clients that use AF_PACKET used to discard UDP packets with a 'bad' header checksum and add a one-time warning in case such rule isn't restricted to UDP. v2: check IP6T_F_PROTO flag before cmp (Michal Kubecek) Reported-by: Satish Patel Reported-by: Markos Chandras Reported-by: Michal Kubecek Signed-off-by: Florian Westphal Reviewed-by: Michal Kubecek Signed-off-by: Pablo Neira Ayuso (backported from commit 10568f6c5761db24249c610c94d6e44d5505a0ba) [mruffell: minor context adjustment] Signed-off-by: Matthew Ruffell Acked-by: Stefan Bader Acked-by: Connor Kuehl --- net/netfilter/Kconfig | 12 ++++++------ net/netfilter/xt_CHECKSUM.c | 23 ++++++++++++++++++++++- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 4692782b5280..e13e2eecbaf4 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -635,13 +635,13 @@ config NETFILTER_XT_TARGET_CHECKSUM depends on NETFILTER_ADVANCED ---help--- This option adds a `CHECKSUM' target, which can be used in the iptables mangle - table. + table to work around buggy DHCP clients in virtualized environments. - You can use this target to compute and fill in the checksum in - a packet that lacks a checksum. This is particularly useful, - if you need to work around old applications such as dhcp clients, - that do not work well with checksum offloads, but don't want to disable - checksum offload in your device. + Some old DHCP clients drop packets because they are not aware + that the checksum would normally be offloaded to hardware and + thus should be considered valid. + This target can be used to fill in the checksum using iptables + when such packets are sent via a virtual network device. To compile it as a module, choose M here. If unsure, say N. diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c index 0f642ef8cd26..db286fc0bc32 100644 --- a/net/netfilter/xt_CHECKSUM.c +++ b/net/netfilter/xt_CHECKSUM.c @@ -16,6 +16,9 @@ #include #include +#include +#include + MODULE_LICENSE("GPL"); MODULE_AUTHOR("Michael S. Tsirkin "); MODULE_DESCRIPTION("Xtables: checksum modification"); @@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM"); static unsigned int checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) { - if (skb->ip_summed == CHECKSUM_PARTIAL) + if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb)) skb_checksum_help(skb); return XT_CONTINUE; @@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) static int checksum_tg_check(const struct xt_tgchk_param *par) { const struct xt_CHECKSUM_info *einfo = par->targinfo; + const struct ip6t_ip6 *i6 = par->entryinfo; + const struct ipt_ip *i4 = par->entryinfo; if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { pr_info("unsupported CHECKSUM operation %x\n", einfo->operation); @@ -43,6 +48,22 @@ static int checksum_tg_check(const struct xt_tgchk_param *par) pr_info("no CHECKSUM operation enabled\n"); return -EINVAL; } + + switch (par->family) { + case NFPROTO_IPV4: + if (i4->proto == IPPROTO_UDP && + (i4->invflags & XT_INV_PROTO) == 0) + return 0; + break; + case NFPROTO_IPV6: + if ((i6->flags & IP6T_F_PROTO) && + i6->proto == IPPROTO_UDP && + (i6->invflags & XT_INV_PROTO) == 0) + return 0; + break; + } + + pr_warn_once("CHECKSUM should be avoided. If really needed, restrict with \"-p udp\" and only use in OUTPUT\n"); return 0; }