From owner-svn-src-projects@freebsd.org Tue Jan 17 16:20:22 2017 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68BC8CB408B for ; Tue, 17 Jan 2017 16:20:22 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 436011E8A; Tue, 17 Jan 2017 16:20:22 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0HGKLM1027609; Tue, 17 Jan 2017 16:20:21 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0HGKL89027607; Tue, 17 Jan 2017 16:20:21 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201701171620.v0HGKL89027607@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 17 Jan 2017 16:20:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r312345 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 16:20:22 -0000 Author: ae Date: Tue Jan 17 16:20:21 2017 New Revision: 312345 URL: https://svnweb.freebsd.org/changeset/base/312345 Log: Make the kernel smarter with regards to natt_cksum_policy sysctl variable. Now natt_cksum_policy variable controls only two behaviors: 0 - automatically handle checksums, and any other value - fully recompute checksums. When checksums are handled automatically and if IKEd has specified original IP addresses (i.e. checksum delta is known), checksums will be computed incrementally. If IKEd didn't configured original addresses, UDP checksums will be reset to zero and TCP checksums will be ignored. When natt_cksum_policy isn't zero, checksums will be always fully recomputed. This allows to have NAT-T support for transport mode out of the box without any configuration from the user side. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/udpencap.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Tue Jan 17 14:52:48 2017 (r312344) +++ projects/ipsec/sys/netipsec/ipsec.c Tue Jan 17 16:20:21 2017 (r312345) @@ -152,9 +152,10 @@ VNET_DEFINE(int, crypto_support) = CRYPT /* * TCP/UDP checksum handling policy for transport mode NAT-T (RFC3948) * - * 0 - incrementally recompute. + * 0 - auto: incrementally recompute, when checksum delta is known; + * if checksum delta isn't known, reset checksum to zero for UDP, + * and mark csum_flags as valid for TCP. * 1 - fully recompute TCP/UDP checksum. - * 2 - for UDP reset checksum to zero; for TCP mark csum_flags as valid. */ VNET_DEFINE(int, natt_cksum_policy) = 0; Modified: projects/ipsec/sys/netipsec/udpencap.c ============================================================================== --- projects/ipsec/sys/netipsec/udpencap.c Tue Jan 17 14:52:48 2017 (r312344) +++ projects/ipsec/sys/netipsec/udpencap.c Tue Jan 17 16:20:21 2017 (r312345) @@ -261,14 +261,25 @@ udp_ipsec_adjust_cksum(struct mbuf *m, s else off = offsetof(struct tcphdr, th_sum); - switch (V_natt_cksum_policy) { - case 0: /* Incrementally recompute. */ - if (sav->natt->cksum == 0) /* No OA from IKEd */ - return; - m_copydata(m, skip + off, sizeof(cksum), (caddr_t)&cksum); - cksum = in_addword(cksum, sav->natt->cksum); - break; - case 1: /* Fully recompute */ + if (V_natt_cksum_policy == 0) { /* auto */ + if (sav->natt->cksum != 0) { + /* Incrementally recompute. */ + m_copydata(m, skip + off, sizeof(cksum), + (caddr_t)&cksum); + cksum = in_addword(cksum, sav->natt->cksum); + } else { + /* No OA from IKEd. */ + if (proto == IPPROTO_TCP) { + /* Ignore for TCP. */ + m->m_pkthdr.csum_data = 0xffff; + m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | + CSUM_PSEUDO_HDR); + return; + } + cksum = 0; /* Reset for UDP. */ + } + m_copyback(m, skip + off, sizeof(cksum), (caddr_t)&cksum); + } else { /* Fully recompute */ ip = mtod(m, struct ip *); cksum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, htons(m->m_pkthdr.len - skip + proto)); @@ -278,16 +289,6 @@ udp_ipsec_adjust_cksum(struct mbuf *m, s m->m_pkthdr.csum_data = off; in_delayed_cksum(m); m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - return; - default:/* Reset for UDP, ignore for TCP */ - if (proto == IPPROTO_UDP) { - cksum = 0; - break; - } - m->m_pkthdr.csum_data = 0xffff; - m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR); - return; } - m_copyback(m, skip + off, sizeof(cksum), (caddr_t)&cksum); }