Herbert Xu wrote: > On Fri, Feb 24, 2006 at 04:57:33AM +0000, Patrick McHardy wrote: > >>So we could move checksum validation behind xfrm4_policy_check or >>already set ip_summed to CHECKSUM_UNNECESSARY in esp_input. Already >>setting ip_summed in esp4_input looks easier. But this still leaves > > > Absolutely. > > The only reason post_input exists at all is that it gives us the > potential to adjust the checksums incrementally in future which > we ought to do. > > However, after thinking about it for a bit we can adjust the > checksums without using this post_input stuff at all. The crucial > point is that only the inner-most NAT-T SA needs to be considered > when adjusting checksums. What's more, the checksum adjustment > comes down to a single u32 due to the linearity of IP checksums. > > We just happen to have a spare u32 lying around in our skb structure :) > When ip_summed is set to CHECKSUM_NONE on input, the value of skb->csum > is currently unused. All we have to do is to make that the checksum > adjustment and voila, there goes all the post_input and decap structures!
Sounds good. >>one problem. With netfilter and local NAT, a decapsulated transport >>mode packet might be forwarded to another host. In that case the >>checksum contained in the packet is invalid. Any ideas how to fix >>this anyone? > > > I suppose you should treat CHECKSUM_UNNECESSARY as an indication that > you need to recompute the checksum from scratch instead of adjusting > it. So start by getting skb_checksum_help to only zap CHECKSUM_HW, > and then test on this in the *_manip_pkt functions. We can check the secpath. But I fear you're right, the NAT protocol modules need to fix up the checksum. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
