Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2745222ybg; Thu, 24 Oct 2019 14:36:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqy0Nd1W94cw7RcbTpnqSUo8Xm5/XZuidW5/2Gj3TWomefFaPlN1/tbFHv0RsI0+muw4+7yH X-Received: by 2002:a17:906:7c57:: with SMTP id g23mr314921ejp.116.1571952978812; Thu, 24 Oct 2019 14:36:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571952978; cv=none; d=google.com; s=arc-20160816; b=waHBfVAkpUNmdSicH3tO1FezKLs7bAqlDB6ASH/yf6ez7ynZq/iG/vVpFb3GXsGNr/ seLSCvfwUp3yR7ibSRumlfpyVWXA8wj+pXsTaGMzl3AcMYMi71DIFmEmW0G4GUY12O8t kxXwIJo9qh+gMkZwDhksxYLbAQRVZd+YG5L8aL5E83pCXI7Pedls6AC3haa7H0NskG/I zyDAy1A9H9OvCuLW18LfY0UXK6LYMVxwMVPcFhJOvFh3Nlc3SJn8JNeKWc5s0eIAwFDa oF/bcxCr2dZyRT9QJRq3QxRp6hefMV2XxO4MLFQ/cP6DW+CYVPsb+nF8KKgsqMA1t9MM qLfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=R4Qpue11zRbP6z8jWqVbc0HPRRdY1MnnS2DG8TFSNZE=; b=BtxsLAJkK62/HFB6nOo1aVELTh213Gs3j5EcvHuUb2Qr+TmFlnufE2X+dfBaFYquCG SYVyRUYr708OyFhbLj6MmU5hhSRKnoXSFFR9DDVNZyRSXv+XYECLVSqtaxzDWs/SYdTk w1sD5ZWgoomj07uBK5czimBFj7Ja2FYkD3KgwYzDJTU/KgQr/edaG2IG8Kb3EgiVIZ+J Jdl7CiTIVZ2upoYELo2t8FDKmB0+cNYFsHkNitjiAFgI0lOdN5RCE0OWfHIj5bgwE1d9 hk6VTveB6weYfyAAsZK+xYhzb0dVb9N4nLIjp9xkmM9xV3kFaNjQQTpbOZ3spxQfcGw7 3MUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Le9HX99k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b3si18780747ede.118.2019.10.24.14.35.19; Thu, 24 Oct 2019 14:36:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Le9HX99k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2408408AbfJXFTh (ORCPT + 99 others); Thu, 24 Oct 2019 01:19:37 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:45610 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2406809AbfJXFTg (ORCPT ); Thu, 24 Oct 2019 01:19:36 -0400 Received: by mail-pg1-f193.google.com with SMTP id r1so13484857pgj.12; Wed, 23 Oct 2019 22:19:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=R4Qpue11zRbP6z8jWqVbc0HPRRdY1MnnS2DG8TFSNZE=; b=Le9HX99kwkofdfuaGDLYlD93OYMmAz0ui7OB+Gf9j5PKoxGXjUNHW3263e+zoqaptL OPVhzCR/5Sr/81rasnbqjmWuJu+Lt2HxSVAmIrwK8vMRiNxvPW/+dwZp+xoxh6NQGvU7 gW5PvX/1EHqfEpBl2FXvESm3al9qUlOzNngsdEbWIZvSOK4mzMiQ1eHfxguLkn2S4NKo LXbS7SRiNoKPVWw/84u/rQMkM1o1etiCcbjL60ISnE+TpjUg4az7WfxDo7KlebVknCF6 Sndo1Zte89XlU4wPUMML9hDajpj1HRFyNPsPwNHAEn+zbCfbC4N/NEoia5hzaAR3IA1h WFmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=R4Qpue11zRbP6z8jWqVbc0HPRRdY1MnnS2DG8TFSNZE=; b=TRhZqNsW7hMqHIY18juiXJFr41ZTht6THsA0tqzn606f23foVnKulGPr7TIG7DPSni DhybprfL5S4VZIIfS9XRBx0XDOY6vyYcJRNCRjp47Zku1ZFKfNXXASsEPki6eqpiGKY7 npVh971AfekyJ7wc6TWFUajoVHxR0Ky1v2lvwyA48zaX3ZLl1Ap9N9OCXjyw8Dkhr9Sv XZYuIvotaUW0BkW78l7m2FpNPcyOVA6A+a/mt+xEGKpCRPGAhtp3XLVWKOCJSwtuChcL hdi4TsQ+XMaX92dS8ug3RGAre7nmPWmM7fBqnX3JibsJQhhyhlY/Mesij4oebP7xFmO2 LJZA== X-Gm-Message-State: APjAAAXYdwZLDjiNqNrv+GnvgvGqEz9QJIutraG8sO3XbfNCL14BU9s/ pXZ8b42015HTqG2iFMH8b3sGJC3AnA== X-Received: by 2002:a63:8443:: with SMTP id k64mr14828888pgd.307.1571894375723; Wed, 23 Oct 2019 22:19:35 -0700 (PDT) Received: from localhost.localdomain ([216.52.21.4]) by smtp.gmail.com with ESMTPSA id q11sm7612161pgq.71.2019.10.23.22.19.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 Oct 2019 22:19:35 -0700 (PDT) From: Praveen Chaudhary X-Google-Original-From: Praveen Chaudhary To: fw@strlen.de Cc: astracner@linkedin.com, davem@davemloft.net, kadlec@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org, praveen5582@gmail.com, zxu@linkedin.com Subject: RE: [netfilter]: Fix skb->csum calculation when netfilter Date: Wed, 23 Oct 2019 22:19:33 -0700 Message-Id: <1571894373-11188-1-git-send-email-pchaudhary@linkedin.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <20191024011218.GT25052@breakpoint.cc> References: <20191024011218.GT25052@breakpoint.cc> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Florian Thanks for giving time for review. This fix is pretty important for SONiC OS (https://azure.github.io/SONiC/). So I really appreciate it. >> inet_proto_csum_replace16 is called from many places, whereas this fix is >> applicable only for nf_nat_ipv6_csum_update. where we need to update >> skb->csum for ipv6 src/dst address change. > >Under which circumstances does inet_proto_csum_replace16 upate >skb->csum correctly? inet_proto_csum_replace16 calculates skb->csum correctly if skb->csum does not include 16-bit sum of IPv6 Header i.e skb->data points to UDP\TCP\ICMPv6 header while calling __skb_checksum_complete() on packet. Function inet_proto_csum_replace16 is called from nf_nat_ipv6_csum_update(), nf_flow_nat_ipv6_tcp(), nf_flow_nat_ipv6_udp() and update_ipv6_checksum(). For all nf_*() functions, inet_proto_csum_replace16() will not update skb->csum correctly\completely. But I am not sure about update_ipv6_checksum() (in net/openvswitch/actions.c). This is where I seek help from experts. If even for update_ipv6_checksum(), skb->csum includes 16-bit sum of IPv6 Header then inet_proto_csum_replace16() does updates skb->csum correctly. Then our fix will be to remove below line from this function. Because change in UDP\TCP\ICMPv6 header checksum field and change in IPv6 SRC\DST address cancels each other for checksum calculation, i.e. no update to skb->csum is needed. ``` if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr) skb->csum = ~csum_partial(diff, sizeof(diff), ~skb->csum); ``` > >> So, I added a new function. Basically, I used a safe approach to fix it, >> without impacting other cases. Let me know other options, I am open to >> suggestions. > >You seem to imply inet_proto_csum_replace16 is fine and only broken for ipv6 >nat. Yeah, as mentioned above, I took safe approach to fix only nf_nat_ipv6_csum_update() part, where I am sure that skb->csum is broken. But I am not sure if (net/openvswitch/actions.c) needs this fix or not. Consider this my lack of expertise, So kindly suggest whether net/openvswitch/actions.c needs this fix or not. Note: I may not be able to test this part. After your suggestion, I will change my patch. Again Thanks for your time.