| Message ID | 1573285817-32651-1-git-send-email-lirongqing@baidu.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | netfilter: only call csum_tcpudp_magic for TCP/UDP packets | expand |
On Sat, Nov 09, 2019 at 03:50:17PM +0800, Li RongQing wrote: > csum_tcpudp_magic should not be called to compute checksum > for non-TCP/UDP packets, like ICMP with wrong checksum This is fixing 5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8. > Signed-off-by: Li RongQing <lirongqing@baidu.com> > --- > net/netfilter/utils.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c > index 51b454d8fa9c..72eace52874e 100644 > --- a/net/netfilter/utils.c > +++ b/net/netfilter/utils.c > @@ -17,9 +17,12 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, > case CHECKSUM_COMPLETE: > if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) > break; > - if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && > - !csum_fold(skb->csum)) || > - !csum_tcpudp_magic(iph->saddr, iph->daddr, > + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) { > + if (!csum_fold(skb->csum)) { > + skb->ip_summed = CHECKSUM_UNNECESSARY; > + break; > + } > + } else if (!csum_tcpudp_magic(iph->saddr, iph->daddr, > skb->len - dataoff, protocol, > skb->csum)) { Probably disentangle this code with the following snippet? switch (protocol) { case IPPROTO_TCP: case IPPROTO_UDP: if (!csum_tcpudp_magic(iph->saddr, iph->daddr, skb->len - dataoff, protocol, skb->csum)) skb->ip_summed = CHECKSUM_UNNECESSARY; break; default: if (!csum_fold(skb->csum)) skb->ip_summed = CHECKSUM_UNNECESSARY; break; } > + if (!csum_fold(skb->csum)) { > + skb->ip_summed = CHECKSUM_UNNECESSARY; > + break; > + } > + } else if (!csum_tcpudp_magic(iph->saddr, iph->daddr, > skb->len - dataoff, protocol, > skb->csum)) { > skb->ip_summed = CHECKSUM_UNNECESSARY; > -- > 2.16.2 >
> -----邮件原件----- > 发件人: netfilter-devel-owner@vger.kernel.org > [mailto:netfilter-devel-owner@vger.kernel.org] 代表 Pablo Neira Ayuso > 发送时间: 2019年11月13日 5:30 > 收件人: Li,Rongqing <lirongqing@baidu.com> > 抄送: netfilter-devel@vger.kernel.org > 主题: Re: [PATCH] netfilter: only call csum_tcpudp_magic for TCP/UDP packets > > On Sat, Nov 09, 2019 at 03:50:17PM +0800, Li RongQing wrote: > > csum_tcpudp_magic should not be called to compute checksum for > > non-TCP/UDP packets, like ICMP with wrong checksum > > This is fixing 5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8. > > > Signed-off-by: Li RongQing <lirongqing@baidu.com> > > --- > > net/netfilter/utils.c | 9 ++++++--- > > 1 file changed, 6 insertions(+), 3 deletions(-) > > > > diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c index > > 51b454d8fa9c..72eace52874e 100644 > > --- a/net/netfilter/utils.c > > +++ b/net/netfilter/utils.c > > @@ -17,9 +17,12 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, > unsigned int hook, > > case CHECKSUM_COMPLETE: > > if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) > > break; > > - if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && > > - !csum_fold(skb->csum)) || > > - !csum_tcpudp_magic(iph->saddr, iph->daddr, > > + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) { > > + if (!csum_fold(skb->csum)) { > > + skb->ip_summed = CHECKSUM_UNNECESSARY; > > + break; > > + } > > + } else if (!csum_tcpudp_magic(iph->saddr, iph->daddr, > > skb->len - dataoff, protocol, > > skb->csum)) { > > Probably disentangle this code with the following snippet? > > switch (protocol) { > case IPPROTO_TCP: > case IPPROTO_UDP: > if (!csum_tcpudp_magic(iph->saddr, iph->daddr, > skb->len - dataoff, > protocol, > skb->csum)) > skb->ip_summed = > CHECKSUM_UNNECESSARY; > break; > default: > if (!csum_fold(skb->csum)) > skb->ip_summed = > CHECKSUM_UNNECESSARY; > break; > } > OK ,I will send V2, thanks -RongQing
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c index 51b454d8fa9c..72eace52874e 100644 --- a/net/netfilter/utils.c +++ b/net/netfilter/utils.c @@ -17,9 +17,12 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, case CHECKSUM_COMPLETE: if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) break; - if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && - !csum_fold(skb->csum)) || - !csum_tcpudp_magic(iph->saddr, iph->daddr, + if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) { + if (!csum_fold(skb->csum)) { + skb->ip_summed = CHECKSUM_UNNECESSARY; + break; + } + } else if (!csum_tcpudp_magic(iph->saddr, iph->daddr, skb->len - dataoff, protocol, skb->csum)) { skb->ip_summed = CHECKSUM_UNNECESSARY;
csum_tcpudp_magic should not be called to compute checksum for non-TCP/UDP packets, like ICMP with wrong checksum Signed-off-by: Li RongQing <lirongqing@baidu.com> --- net/netfilter/utils.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)