git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 9 Sep 2024 10:48:33 +0000 (12:48 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 23 Jan 2025 00:35:37 +0000 (01:35 +0100)
commit	2f0139b1fbefb7f03ecac02627c450749dafd854
tree	ac2ceebbcdc0f3fd33c81d989e5176225f06f6a6	tree
parent	a51953d97f7bc41b1711dfd62370ee573bde7b9f	commit \| diff

proto: use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag to mangle UDP checksum

commit f89abfb4068d31f7279cae298abf25e0c077d2d3 upstream.

There are two mechanisms to update the UDP checksum field:

1) _CSUM_TYPE and _CSUM_OFFSET which specify the type of checksum
(e.g. inet) and offset where it is located.
2) use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag to use layer 4 kernel
protocol parser.

The problem with 1) is that it is inconditional, that is, csum_type and
csum_offset cannot deal with zero UDP checksum.

Use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag instead since it relies on the
layer 4 kernel parser which skips updating zero UDP checksum.

Extend test coverage for the UDP mangling with and without zero
checksum.

Fixes: e6c9174e13b2 ("proto: add checksum key information to struct proto_desc")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/netlink_linearize.c		diff \| blob \| blame \| history
src/proto.c		diff \| blob \| blame \| history