Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp4643353ioa; Wed, 27 Apr 2022 08:06:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxXQhxCcpRVC1I48cMtce/mYvumbjICi8m5TYiBfrcypBb51DphICFv8m3rUttfsuLNTOqL X-Received: by 2002:a05:6a00:21c2:b0:4fe:81f:46c7 with SMTP id t2-20020a056a0021c200b004fe081f46c7mr30085696pfj.5.1651072010237; Wed, 27 Apr 2022 08:06:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651072010; cv=none; d=google.com; s=arc-20160816; b=GfJEDKoE28uHvn7atr/9aHu/OabaDlsaH+5w4cub80Ue2UbI/Wo4a3JmPyeT9CzjFs HfZedzDRYK26jkQC4fVLUuC8VdYORXLx9Z64dXDmz8xUrp5VaMwMNJ8J32aiVaVzhC9y 95bDfxQvy2mgY/A9pgGSzLWHzfDPozSDkW990p4k0gMDBgxhEBtp70PPirZbFCFZGRIB gc8ucAuWrocu9rroV/XRrjq45aK9RKJo+93yqfVhGdwXZCu78b01B0QtQVk4nVNRZVRv N+nNMIwxo3/l7KBIwr2zaC6C9mg0/jOcbdsWRiDFrsJGvjaKHTo6qDL4Bzz8RpJK32y9 11jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Z+4qQpVcO/h1iCoYdC9cxgColMvryxP2VAFwq9ImYmY=; b=pLaQtSka3LxzXWe6f4PYCB5tIafEipV8aLsZfv/QUVar3wl+OBClzLxQG0kSxbeP/4 VFoLL8/XB/VYuoo4eymCfUaNVaFs5zKgfDKj1F0gO5OhGNW1WyfSj93rfJJSsKJd2Lnz 2NnPL/b/ec7Icn+QRPUrgpNoOaRv5+0DzbO3vy1AuwnzwCECuaQ371d8ghDrWPPEvKBN yPwESthH+WZ6N1G6BU2d+8OMo9EU6dts+6cFmHyaVQvcXig7qXPCsdsOZcO959HJ/wpY OUK5buymLIyd3We1+wEEdhp2dxtjS73HpORBs3Bj8F+zDvqjl/Ld3IBTSncrfTJPLBI/ dq0A== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id b2-20020a170902b60200b00153b2d165a7si1823606pls.431.2022.04.27.08.06.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Apr 2022 08:06:50 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C9D3C3299E; Wed, 27 Apr 2022 07:38:47 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238247AbiD0Okm (ORCPT + 99 others); Wed, 27 Apr 2022 10:40:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238299AbiD0Oki (ORCPT ); Wed, 27 Apr 2022 10:40:38 -0400 Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2E53832981; Wed, 27 Apr 2022 07:37:08 -0700 (PDT) Date: Wed, 27 Apr 2022 16:36:49 +0200 From: Pablo Neira Ayuso To: Kevin Mitchell Cc: gal@nvidia.com, Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Hideaki YOSHIFUJI , David Ahern , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH nf-next v2 1/1] netfilter: conntrack: skip verification of zero UDP checksum Message-ID: References: <20220405234739.269371-2-kevmitch@arista.com> <20220408043341.416219-1-kevmitch@arista.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220408043341.416219-1-kevmitch@arista.com> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 07, 2022 at 09:33:40PM -0700, Kevin Mitchell wrote: > The checksum is optional for UDP packets in IPv4. However nf_reject > would previously require a valid checksum to elicit a response such as > ICMP_DEST_UNREACH. > > Add some logic to nf_reject_verify_csum to determine if a UDP packet has > a zero checksum and should therefore not be verified. Explicitly require > a valid checksum for IPv6 consistent RFC 2460 and with the non-netfilter > stack (see udp6_csum_zero_error). > > Signed-off-by: Kevin Mitchell > --- > include/net/netfilter/nf_reject.h | 27 +++++++++++++++++++++++---- > net/ipv4/netfilter/nf_reject_ipv4.c | 10 +++++++--- > net/ipv6/netfilter/nf_reject_ipv6.c | 4 ++-- > 3 files changed, 32 insertions(+), 9 deletions(-) > > diff --git a/include/net/netfilter/nf_reject.h b/include/net/netfilter/nf_reject.h > index 9051c3a0c8e7..f248c1ff8b22 100644 > --- a/include/net/netfilter/nf_reject.h > +++ b/include/net/netfilter/nf_reject.h > @@ -5,12 +5,34 @@ > #include > #include > > -static inline bool nf_reject_verify_csum(__u8 proto) > +static inline bool nf_reject_verify_csum(struct sk_buff *skb, int dataoff, > + __u8 proto) > { > /* Skip protocols that don't use 16-bit one's complement checksum > * of the entire payload. > */ > switch (proto) { > + /* Protocols with optional checksums. */ > + case IPPROTO_UDP: { > + const struct udphdr *udp_hdr; > + struct udphdr _udp_hdr; > + > + /* Checksum is required in IPv6 > + * see RFC 2460 section 8.1 > + */ Right, but follow up work say otherwise? https://www.rfc-editor.org/rfc/rfc6935 https://www.rfc-editor.org/rfc/rfc6936 Moreover, conntrack and NAT already allow for UDP zero checksum in IPv6. I'm inclined to stick to the existing behaviour for consistency, ie. allow for zero checksum in IPv6 UDP.