netfilter buglog - Nov 2016 - [Bug 1098] New: Stateless packet rewriting of source/destination IPs must update IP header as well

https://bugzilla.netfilter.org/show_bug.cgi?id=1098

            Bug ID: 1098
           Summary: Stateless packet rewriting of source/destination IPs
                    must update IP header as well
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: dalegaard at gmail.com

Hi!

Currently a stateless packet rewrite like the following:
 ip daddr set ip daddr map @destmap
... wil not work in practice because the TCP or UDP checksum is not updated.
The IP header is updated correctly, but there does not currently appear to be a
means to update the TCP or UDP checksums as well. TCP and UDP checksums cover
(part of) the IP header as well, checksumming a "pseudo header"
instead of the
real header.

I was unsure where to file this, or how to even approach a fix in the best way.
The pseudo-header is a pretty bad layering violation, but without the ability
to modify the TCP or UDP checksums when changing the IP header, applications
like one-to-one NAT cannot be performed from nftables.

I also don't know if this is a use case nftables even wants to
support(although
I would love if it did), so the severity may need tweaking. I'm inclined to
think it's an oversight rather than an intentional choice.

BR.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161111/1dc1a6b8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1098

dalegaard at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Stateless packet rewriting  |Stateless packet rewriting
                   |of source/destination IPs   |of source/destination IPs
                   |must update IP header as    |must update TCP/UDP header
                   |well                        |as well

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161111/691717d4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1098

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
commit 1814096980bbe546c4384b7b064126cbe7d40d30
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Nov 24 12:04:55 2016 +0100

    netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

Upcoming Linux kernel 4.10 comes with support for pseudoheader checksum
updates, you also may need to update to nft 0.7.

Closing. Thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170127/f34c5a26/attachment.html>