<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Stateless packet rewriting of source/destination IPs must update IP header as well"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1098">1098</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Stateless packet rewriting of source/destination IPs must update IP header as well
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>dalegaard@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Hi!

Currently a stateless packet rewrite like the following:
 ip daddr set ip daddr map @destmap
... wil not work in practice because the TCP or UDP checksum is not updated.
The IP header is updated correctly, but there does not currently appear to be a
means to update the TCP or UDP checksums as well. TCP and UDP checksums cover
(part of) the IP header as well, checksumming a "pseudo header" instead of the
real header.

I was unsure where to file this, or how to even approach a fix in the best way.
The pseudo-header is a pretty bad layering violation, but without the ability
to modify the TCP or UDP checksums when changing the IP header, applications
like one-to-one NAT cannot be performed from nftables.

I also don't know if this is a use case nftables even wants to support(although
I would love if it did), so the severity may need tweaking. I'm inclined to
think it's an oversight rather than an intentional choice.

BR.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>