netfilter: nftables: allow re-computing sctp CRC-32C in 'payload' statements

nftables payload statements are used to mangle SCTP headers, but they can only replace the Internet Checksum. As a consequence, nftables rules that mangle sport/dport/vtag in SCTP headers potentially generate packets that are discarded by the receiver, unless the CRC-32C is "offloaded" (e.g the rule mangles a skb having 'ip_summed' equal to 'CHECKSUM_PARTIAL'. Fix this extending uAPI definitions and L4 checksum update function, in a way that userspace programs (e.g. nft) can instruct the kernel to compute CRC-32C in SCTP headers. Also ensure that LIBCRC32C is built if NF_TABLES is 'y' or 'm' in the kernel build configuration. Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-01-24 06:35:44 +08:00 · 2020-10-15 18:39:27 +02:00 · 2020-10-15 18:39:27 +02:00 · 346e320cb2
commit 346e320cb2
parent 54086c5a7f
3 changed files with 31 additions and 0 deletions
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@ -749,10 +749,12 @@ enum nft_payload_bases {
 *
 * @NFT_PAYLOAD_CSUM_NONE: no checksumming
 * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791)
 * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309)
 */
 enum nft_payload_csum_types {
 	NFT_PAYLOAD_CSUM_NONE,
 	NFT_PAYLOAD_CSUM_INET,
 	NFT_PAYLOAD_CSUM_SCTP,
 };
 enum nft_payload_csum_flags {
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@ -441,6 +441,7 @@ endif # NF_CONNTRACK
 config NF_TABLES
 	select NETFILTER_NETLINK
 	select LIBCRC32C
 	tristate "Netfilter nf_tables support"
 	help
 	  nftables is the new packet classification framework that intends to
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@ -22,6 +22,7 @@
 #include <linux/icmpv6.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <net/sctp/checksum.h>
 static bool nft_payload_rebuild_vlan_hdr(const struct sk_buff *skb, int mac_off,
 					 struct vlan_ethhdr *veth)
@ -484,6 +485,19 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
 	return 0;
 }
 static int nft_payload_csum_sctp(struct sk_buff *skb, int offset)
 {
 	struct sctphdr *sh;
 	if (skb_ensure_writable(skb, offset + sizeof(*sh)))
 		return -1;
 	sh = (struct sctphdr *)(skb->data + offset);
 	sh->checksum = sctp_compute_cksum(skb, offset);
 	skb->ip_summed = CHECKSUM_UNNECESSARY;
 	return 0;
 }
 static int nft_payload_l4csum_update(const struct nft_pktinfo *pkt,
 				     struct sk_buff *skb,
 				     __wsum fsum, __wsum tsum)
@ -587,6 +601,13 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
 	    skb_store_bits(skb, offset, src, priv->len) < 0)
 		goto err;
 	if (priv->csum_type == NFT_PAYLOAD_CSUM_SCTP &&
 	    pkt->tprot == IPPROTO_SCTP &&
 	    skb->ip_summed != CHECKSUM_PARTIAL) {
 		if (nft_payload_csum_sctp(skb, pkt->xt.thoff))
 			goto err;
 	}
 	return;
 err:
 	regs->verdict.code = NFT_BREAK;
@ -623,6 +644,13 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
 	case NFT_PAYLOAD_CSUM_NONE:
 	case NFT_PAYLOAD_CSUM_INET:
 		break;
 	case NFT_PAYLOAD_CSUM_SCTP:
 		if (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER)
 			return -EINVAL;
 		if (priv->csum_offset != offsetof(struct sctphdr, checksum))
 			return -EINVAL;
 		break;
 	default:
 		return -EOPNOTSUPP;
 	}