Re: [PATCH net-next 01/14] netfilter: conntrack: mark UDP zero checksum as CHECKSUM_UNNECESSARY

Gal Pressman <gal@xxxxxxxxxx> · Wed, 16 Feb 2022 20:52:14 +0200

On 16/02/2022 18:04, Pablo Neira Ayuso wrote:
> On Wed, Feb 16, 2022 at 04:28:42PM +0100, Florian Westphal wrote:
>> Gal Pressman <gal@xxxxxxxxxx> wrote:
>>
>> [ CC patch author ]
>>
>>>> The udp_error function verifies the checksum of incoming UDP packets if
>>>> one is set. This has the desirable side effect of setting skb->ip_summed
>>>> to CHECKSUM_COMPLETE, signalling that this verification need not be
>>>> repeated further up the stack.
>>>>
>>>> Conversely, when the UDP checksum is empty, which is perfectly legal (at least
>>>> inside IPv4), udp_error previously left no trace that the checksum had been
>>>> deemed acceptable.
>>>>
>>>> This was a problem in particular for nf_reject_ipv4, which verifies the
>>>> checksum in nf_send_unreach() before sending ICMP_DEST_UNREACH. It makes
>>>> no accommodation for zero UDP checksums unless they are already marked
>>>> as CHECKSUM_UNNECESSARY.
>>>>
>>>> This commit ensures packets with empty UDP checksum are marked as
>>>> CHECKSUM_UNNECESSARY, which is explicitly recommended in skbuff.h.
>>>>
>>>> Signed-off-by: Kevin Mitchell <kevmitch@xxxxxxxxxx>
>>>> Acked-by: Florian Westphal <fw@xxxxxxxxx>
>>>> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
>>>> ---
>>>>  net/netfilter/nf_conntrack_proto_udp.c | 4 +++-
>>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
>>>> index 3b516cffc779..12f793d8fe0c 100644
>>>> --- a/net/netfilter/nf_conntrack_proto_udp.c
>>>> +++ b/net/netfilter/nf_conntrack_proto_udp.c
>>>> @@ -63,8 +63,10 @@ static bool udp_error(struct sk_buff *skb,
>>>>  	}
>>>>  
>>>>  	/* Packet with no checksum */
>>>> -	if (!hdr->check)
>>>> +	if (!hdr->check) {
>>>> +		skb->ip_summed = CHECKSUM_UNNECESSARY;
>>>>  		return false;
>>>> +	}
>>>>  
>>>>  	/* Checksum invalid? Ignore.
>>>>  	 * We skip checking packets on the outgoing path
>>> Hey,
>>>
>>> I think this patch broke geneve tunnels, or possibly all udp tunnels?
>>>
>>> A simple test that creates two geneve tunnels and runs tcp iperf fails
>>> and results in checksum errors (TcpInCsumErrors).
>>>
>>> Any idea how to solve that? Maybe 'skb->csum_level' needs some adjustments?
>> Probably better to revert and patch nf_reject instead to
>> handle 0 udp csum?
> Agreed.

Thanks, should I submit a revert?