[Bug 1098] New: Stateless packet rewriting of source/destination IPs must update IP header as well

Fri Nov 11 08:49:11 CET 2016

https://bugzilla.netfilter.org/show_bug.cgi?id=1098

            Bug ID: 1098
           Summary: Stateless packet rewriting of source/destination IPs
                    must update IP header as well
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: dalegaard at gmail.com

Hi!

Currently a stateless packet rewrite like the following:
 ip daddr set ip daddr map @destmap
... wil not work in practice because the TCP or UDP checksum is not updated.
The IP header is updated correctly, but there does not currently appear to be a
means to update the TCP or UDP checksums as well. TCP and UDP checksums cover
(part of) the IP header as well, checksumming a "pseudo header" instead of the
real header.

I was unsure where to file this, or how to even approach a fix in the best way.
The pseudo-header is a pretty bad layering violation, but without the ability
to modify the TCP or UDP checksums when changing the IP header, applications
like one-to-one NAT cannot be performed from nftables.

I also don't know if this is a use case nftables even wants to support(although
I would love if it did), so the severity may need tweaking. I'm inclined to
think it's an oversight rather than an intentional choice.

BR.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161111/1dc1a6b8/attachment.html>