Re: NPF: broken checksums

To: Robert Elz <kre%munnari.OZ.AU@localhost>
Subject: Re: NPF: broken checksums
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Wed, 4 Apr 2018 08:09:56 +0200

Le 03/04/2018 à 13:07, Robert Elz a écrit :

     Date:        Tue, 3 Apr 2018 07:48:19 +0200
     From:        Maxime Villard <max%m00nbsd.net@localhost>
     Message-ID:  <11cba205-ba75-757a-689a-db9897d9835d%m00nbsd.net@localhost>

   |  However, if the packet
   | contains another TCPOPT_MAXSEG option,

I assume you mean here in the same TCP header, rather than in some
included packet (ie: a tunnel or similar).


Yes, that's what I mean.

In that case, I think what happens to the packet is whatever we please,
and forcing the second (and any later) MSS options to be the same as
the first is entirely reasonable.   As would be just about anything else,
including simply sending RST.


It's not correct; when we call npf_fetch_tcpopts to only read the TCP options,
we shouldn't modify the packet. Otherwise the TCP checksum becomes invalid
(we're not recomputing it), and the AH signature too (if any).

In the end the kernel kicks the packet - which shouldn't have happened if we
only wanted to read its options.

Follow-Ups:
- Re: NPF: broken checksums
  - From: Michael van Elst

References:
- Re: NPF: broken checksums
  - From: Maxime Villard
- NPF: broken checksums
  - From: Maxime Villard
- Re: NPF: broken checksums
  - From: Robert Elz

Prev by Date: Re: NPF: broken checksums
Next by Date: Re: NPF: broken checksums
Previous by Thread: Re: NPF: broken checksums
Next by Thread: Re: NPF: broken checksums
Indexes:

Home | Main Index | Thread Index | Old Index