Date: Tue, 17 Jan 2017 16:20:21 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r312345 - projects/ipsec/sys/netipsec Message-ID: <201701171620.v0HGKL89027607@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Tue Jan 17 16:20:21 2017 New Revision: 312345 URL: https://svnweb.freebsd.org/changeset/base/312345 Log: Make the kernel smarter with regards to natt_cksum_policy sysctl variable. Now natt_cksum_policy variable controls only two behaviors: 0 - automatically handle checksums, and any other value - fully recompute checksums. When checksums are handled automatically and if IKEd has specified original IP addresses (i.e. checksum delta is known), checksums will be computed incrementally. If IKEd didn't configured original addresses, UDP checksums will be reset to zero and TCP checksums will be ignored. When natt_cksum_policy isn't zero, checksums will be always fully recomputed. This allows to have NAT-T support for transport mode out of the box without any configuration from the user side. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/udpencap.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Tue Jan 17 14:52:48 2017 (r312344) +++ projects/ipsec/sys/netipsec/ipsec.c Tue Jan 17 16:20:21 2017 (r312345) @@ -152,9 +152,10 @@ VNET_DEFINE(int, crypto_support) = CRYPT /* * TCP/UDP checksum handling policy for transport mode NAT-T (RFC3948) * - * 0 - incrementally recompute. + * 0 - auto: incrementally recompute, when checksum delta is known; + * if checksum delta isn't known, reset checksum to zero for UDP, + * and mark csum_flags as valid for TCP. * 1 - fully recompute TCP/UDP checksum. - * 2 - for UDP reset checksum to zero; for TCP mark csum_flags as valid. */ VNET_DEFINE(int, natt_cksum_policy) = 0; Modified: projects/ipsec/sys/netipsec/udpencap.c ============================================================================== --- projects/ipsec/sys/netipsec/udpencap.c Tue Jan 17 14:52:48 2017 (r312344) +++ projects/ipsec/sys/netipsec/udpencap.c Tue Jan 17 16:20:21 2017 (r312345) @@ -261,14 +261,25 @@ udp_ipsec_adjust_cksum(struct mbuf *m, s else off = offsetof(struct tcphdr, th_sum); - switch (V_natt_cksum_policy) { - case 0: /* Incrementally recompute. */ - if (sav->natt->cksum == 0) /* No OA from IKEd */ - return; - m_copydata(m, skip + off, sizeof(cksum), (caddr_t)&cksum); - cksum = in_addword(cksum, sav->natt->cksum); - break; - case 1: /* Fully recompute */ + if (V_natt_cksum_policy == 0) { /* auto */ + if (sav->natt->cksum != 0) { + /* Incrementally recompute. */ + m_copydata(m, skip + off, sizeof(cksum), + (caddr_t)&cksum); + cksum = in_addword(cksum, sav->natt->cksum); + } else { + /* No OA from IKEd. */ + if (proto == IPPROTO_TCP) { + /* Ignore for TCP. */ + m->m_pkthdr.csum_data = 0xffff; + m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | + CSUM_PSEUDO_HDR); + return; + } + cksum = 0; /* Reset for UDP. */ + } + m_copyback(m, skip + off, sizeof(cksum), (caddr_t)&cksum); + } else { /* Fully recompute */ ip = mtod(m, struct ip *); cksum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, htons(m->m_pkthdr.len - skip + proto)); @@ -278,16 +289,6 @@ udp_ipsec_adjust_cksum(struct mbuf *m, s m->m_pkthdr.csum_data = off; in_delayed_cksum(m); m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - return; - default:/* Reset for UDP, ignore for TCP */ - if (proto == IPPROTO_UDP) { - cksum = 0; - break; - } - m->m_pkthdr.csum_data = 0xffff; - m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR); - return; } - m_copyback(m, skip + off, sizeof(cksum), (caddr_t)&cksum); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701171620.v0HGKL89027607>