review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 22 Aug 2018 09:33:27 +0000 (11:33 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 24 Aug 2018 07:58:16 +0000 (09:58 +0200)
commit	10568f6c5761db24249c610c94d6e44d5505a0ba
tree	ff21dc6e19b014a55c5956bccb7209e19a109535	tree \| snapshot
parent	c1dc2912059901f97345d9e10c96b841215fdc0f	commit \| diff

netfilter: xt_checksum: ignore gso skbs

Satish Patel reports a skb_warn_bad_offload() splat caused
by -j CHECKSUM rules:

-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM

The CHECKSUM target has never worked with GSO skbs, and the above rule
makes no sense as kernel will handle checksum updates on transmit.

Unfortunately, there are 3rd party tools that install such rules, so we
cannot reject this from the config plane without potential breakage.

Amend Kconfig text to clarify that the CHECKSUM target is only useful
in virtualized environments, where old dhcp clients that use AF_PACKET
used to discard UDP packets with a 'bad' header checksum and add a
one-time warning in case such rule isn't restricted to UDP.

v2: check IP6T_F_PROTO flag before cmp (Michal Kubecek)

Reported-by: Satish Patel <satish.txt@gmail.com>
Reported-by: Markos Chandras <markos.chandras@suse.com>
Reported-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/Kconfig		diff \| blob \| history
net/netfilter/xt_CHECKSUM.c		diff \| blob \| history