Patrick McHardy wrote: >>I don't know what correct fix is. Adding an extra call to xfrm4_policy_check >>in >>tcp_v4_rcv before the checksum check fixes this problem and doesn't seem to >>break anything else. On the other hand, moving some of the code in >>esp_post_input into esp_input (especially line 298) will work, too. > > > So we could move checksum validation behind xfrm4_policy_check or > already set ip_summed to CHECKSUM_UNNECESSARY in esp_input. Already > setting ip_summed in esp4_input looks easier. But this still leaves > one problem. With netfilter and local NAT, a decapsulated transport > mode packet might be forwarded to another host. In that case the > checksum contained in the packet is invalid. Any ideas how to fix > this anyone?
I don't know what the functional separation or difference between a packet input function and a packet post input function is but the entire code in esp_post_input doesn't seem like it would cause any problem just by placing it at end of esp_input instead of current location. A forwarded decapsulated packet would have the destination IP changed from server S to another IP. Shouldn't that cause the stack to automatically recalculate the checksum? Anyway, enough speculation. I will leave the solution to those who know the linux kernel networking code. Thanks. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
