James Morris wrote:

This patch fixes a bug with with multicast/broadcast packets,
Netfilter, and NICs which do hardware checksums.

Outgoing multicast and broadcast packets are cloned prior to being fed
into the postrouting hook and looped back.  A problem is caused when the
shared packet data is modified by the netfilter core code when updating
the checksum, but the skb->ip_summed field in the header of the original
skb is not updated.  The NIC then tries to do a hardware checksum on an
already correct checksum, and we end up transmitting the wrong thing.

This bug stops things like DHCP from working, and was noted under SELinux
which uses the postrouting hook alone.

The proposed solution below is to copy the skb rather than clone it, to 
ensure that the original and looped back packets are independent.

Please review.

(A similar problem seems to exist in the IPv6 code, although not 
verified yet).


- James

This is unneeded overhead for the common case. The right fix is to make 
sure the modifier (netfilter etc) makes the copy if needed. Actually, 
this is what skb_ip_make_writable() is doing.

--Mika