On Fri, Feb 24, 2006 at 04:57:33AM +0000, Patrick McHardy wrote: > > So we could move checksum validation behind xfrm4_policy_check or > already set ip_summed to CHECKSUM_UNNECESSARY in esp_input. Already > setting ip_summed in esp4_input looks easier. But this still leaves
Absolutely. The only reason post_input exists at all is that it gives us the potential to adjust the checksums incrementally in future which we ought to do. However, after thinking about it for a bit we can adjust the checksums without using this post_input stuff at all. The crucial point is that only the inner-most NAT-T SA needs to be considered when adjusting checksums. What's more, the checksum adjustment comes down to a single u32 due to the linearity of IP checksums. We just happen to have a spare u32 lying around in our skb structure :) When ip_summed is set to CHECKSUM_NONE on input, the value of skb->csum is currently unused. All we have to do is to make that the checksum adjustment and voila, there goes all the post_input and decap structures! I'll send patches to get rid of post_input now. > one problem. With netfilter and local NAT, a decapsulated transport > mode packet might be forwarded to another host. In that case the > checksum contained in the packet is invalid. Any ideas how to fix > this anyone? I suppose you should treat CHECKSUM_UNNECESSARY as an indication that you need to recompute the checksum from scratch instead of adjusting it. So start by getting skb_checksum_help to only zap CHECKSUM_HW, and then test on this in the *_manip_pkt functions. BTW, the original address (nat_oa) structure is wrong. We need the original src as well as the original dst addresses to incrementally adjust the checksum. I wonder why everyone keeps getting this wrong. Fortunately it shouldn't be too hard to fix up, for netlink at least. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
