netdev
[Top] [All Lists]

Re: [PATCH] Fix checksum bug for multicast/broadcast packets on postrout

To: James Morris <jmorris@xxxxxxxxxx>
Subject: Re: [PATCH] Fix checksum bug for multicast/broadcast packets on postrouting hook
From: Mika Penttilä <mika.penttila@xxxxxxxxxxx>
Date: Sun, 15 Feb 2004 15:40:18 +0200
Cc: "David S. Miller" <davem@xxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxxx>, netdev@xxxxxxxxxxx, Stephen Smalley <sds@xxxxxxxxxxxxxx>
In-reply-to: <Xine.LNX.4.44.0402150801310.12126-100000@xxxxxxxxxxxxxxxxxxxxxxxx>
References: <Xine.LNX.4.44.0402150801310.12126-100000@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1


James Morris wrote:

On Sun, 15 Feb 2004, Mika Penttilä wrote:

James Morris wrote:

On Sat, 14 Feb 2004, Mika Penttilä wrote:
This is unneeded overhead for the common case. The right fix is to make sure the modifier (netfilter etc) makes the copy if needed. Actually, this is what skb_ip_make_writable() is doing.
The common case here will be only for locally generated multicast and broadcast packets.

If the netfilter core code is modified instead, we will end up adding
skb_ip_make_writable() to nf_hook_slow() which will be called for every packet with an output device which uses hardware checksums.

Not sure which is worse, but here's a proposed patch which does this.


- James

I don't see the context here. Where is the packet mangled? Why isn't that instance doing skb_ip_make_writable()? selinux? Not everyone generating locally multicast/broadcast packets is using selinux...


[my previous post didn't seem to make it to the list, newer patch is attached below again]

The packet is mangled in skb_checksum_help(), which is called by the Netfilter core code. It is not being mangled by SELinux.


- James

skb_checksum_help() updates skb->ip_summed to CHECKSUM_NONE in the original skb, and this should be seen by the driver. With your change the checksum is calculated twice, once for the looping back packet, and once for the outgoing.

--Mika







<Prev in Thread] Current Thread [Next in Thread>