tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NPF: broken checksums



max%m00nbsd.net@localhost (Maxime Villard) writes:

>It's not correct; when we call npf_fetch_tcpopts to only read the TCP options,
>we shouldn't modify the packet. Otherwise the TCP checksum becomes invalid
>(we're not recomputing it), and the AH signature too (if any).

Please also look at where packets are filtered.

On input, the checksum is already validated and trashing it afterwards
has little effect.

On output, pfil_run_hooks is called after the TCP header (without opts!)
checksum has been calculated and before the remaining partial checksum
(with header opts) is added. Adjusting the checksum for changes in
the TCP options would make the final checksum invalid.

On forwarding, the most likely case, it's filtered on input and output,
so the filter rules are matched once for PFIL_IN, once for PFIL_OUT.
PFIL_IN is then ignored because of nbuf_cksum_barrier(), but PFIL_OUT isn't.

-- 
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."


Home | Main Index | Thread Index | Old Index