Re: [PATCH v2] network: add rule to nftables backend that zeroes checksum of DHCP responses

On Tue, Oct 29, 2024 at 06:03:26AM -0500, Andrea Bolognani wrote: > I'm using Debian GNU/Hurd, so the DHCP client is the same as regular > Debian (ISC DHCP). The source can be found at > > https://deb.debian.org/debian-ports/pool-hurd-i386/main/i/isc-dhcp/ > > The version is a bit old and there's the tiniest amount of patching > compared to the Linux build, specifically: > > --- isc-dhcp-4.4.3-P1-1.1/debian/patches/bind-fix 1970-01-01 > 01:00:00.000000000 +0100 > +++ isc-dhcp-4.4.3-P1-1.1+hurd.1/debian/patches/bind-fix > 2023-02-15 15:39:49.000000000 +0100 > @@ -0,0 +1,26 @@ > +Index: isc-dhcp-4.4.3-P1-build/bind/bind-9.11.36/lib/isc/unix/socket.c > +=================================================================== > +--- isc-dhcp-4.4.3-P1-build.orig/bind/bind-9.11.36/lib/isc/unix/socket.c > ++++ isc-dhcp-4.4.3-P1-build/bind/bind-9.11.36/lib/isc/unix/socket.c > +@@ -2633,7 +2633,7 @@ opensocket(isc__socketmgr_t *manager, is > + char strbuf[ISC_STRERRORSIZE]; > + const char *err = "socket"; > + int tries = 0; > +-#if defined(USE_CMSG) || defined(SO_BSDCOMPAT) || defined(SO_NOSIGPIPE) > ++#if 1 > + int on = 1; > + #endif > + #if defined(SO_RCVBUF) > > I'm not sure whether this could be relevant to the issue at hand. That impl has the explicit check for all-zeros checksum.

> To clarify, this is something that needs to be handled at the > userspace level, no kernel changes required? And clearly it affects > DHCP, but what about other protocols? Are we confident those will > cope just fine? It would affect *any* application which is reading raw packets and manually verifying the IP checksum. DHCP is the common case, but there could be others. Historically our iptables rule only ever fixed up DHCP packets and we've not seen other complaints. So if something else is affected in the real world, it is sufficiently rare that the few people affected have not noticed and/or cared enough to escalate it.