Re: [PATCH stable] ipvs: sctp: fix checksumming on snat and dnat handlers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 21, 2013 at 02:05:39PM +0100, Daniel Borkmann wrote:
> In our test lab, we have a simple SCTP client connecting to a SCTP
> server via an IPVS load balancer. On some machines, load balancing
> works, but on others the initial handshake just fails, thus no
> SCTP connection whatsoever can be established!
> 
> We observed that the SCTP INIT-ACK handshake reply from the IPVS
> machine to the client had a correct IP checksum, but corrupt SCTP
> checksum when forwarded, thus on the client-side the packet was
> dropped and an intial handshake retriggered until all attempts
> run into the void.
> 
> To fix this issue, this patch i) adds a missing CHECKSUM_UNNECESSARY
> after the full checksum (re-)calculation (as done in IPVS TCP and UDP
> code as well), and ii) calculates the checksum in little-endian format
> (as fixed with the SCTP code in commit 4458f04c: sctp: Clean up sctp
> checksumming code). Stable backport of upstream commit 4b47bc9a.
> 
> Cc: Julian Anastasov <ja@xxxxxx>
> Cc: Simon Horman <horms@xxxxxxxxxxxx>
> Cc: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx>
> ---
>  net/netfilter/ipvs/ip_vs_proto_sctp.c | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
> index 9f3fb75..94bb367 100644
> --- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
> +++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
> @@ -70,7 +70,7 @@ sctp_snat_handler(struct sk_buff *skb,
>  	sctp_sctphdr_t *sctph;
>  	unsigned int sctphoff;
>  	struct sk_buff *iter;
> -	__be32 crc32;
> +	__u32 crc32;
>  
>  #ifdef CONFIG_IP_VS_IPV6
>  	if (cp->af == AF_INET6)
> @@ -101,8 +101,9 @@ sctp_snat_handler(struct sk_buff *skb,
>  	skb_walk_frags(skb, iter)
>  		crc32 = sctp_update_cksum((u8 *) iter->data, skb_headlen(iter),
>  				          crc32);
> -	crc32 = sctp_end_cksum(crc32);
> -	sctph->checksum = crc32;
> +	sctph->checksum = sctp_end_cksum(crc32);
> +
> +	skb->ip_summed = CHECKSUM_UNNECESSARY;
>  
>  	return 1;
>  }
> @@ -114,7 +115,7 @@ sctp_dnat_handler(struct sk_buff *skb,
>  	sctp_sctphdr_t *sctph;
>  	unsigned int sctphoff;
>  	struct sk_buff *iter;
> -	__be32 crc32;
> +	__u32 crc32;
>  
>  #ifdef CONFIG_IP_VS_IPV6
>  	if (cp->af == AF_INET6)
> @@ -145,8 +146,9 @@ sctp_dnat_handler(struct sk_buff *skb,
>  	skb_walk_frags(skb, iter)
>  		crc32 = sctp_update_cksum((u8 *) iter->data, skb_headlen(iter),
>  					  crc32);
> -	crc32 = sctp_end_cksum(crc32);
> -	sctph->checksum = crc32;
> +	sctph->checksum = sctp_end_cksum(crc32);
> +
> +	skb->ip_summed = CHECKSUM_UNNECESSARY;
>  
>  	return 1;
>  }
> -- 
> 1.7.11.7
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Acked-by: Neil Horman <nhorman@xxxxxxxxxxxxx>

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux