svn commit: r312345 - projects/ipsec/sys/netipsec

Tue Jan 17 16:20:22 UTC 2017

Author: ae
Date: Tue Jan 17 16:20:21 2017
New Revision: 312345
URL: https://svnweb.freebsd.org/changeset/base/312345

Log:
  Make the kernel smarter with regards to natt_cksum_policy sysctl variable.
  
  Now natt_cksum_policy variable controls only two behaviors:
  0 - automatically handle checksums, and any other value - fully recompute
  checksums. When checksums are handled automatically and if IKEd has
  specified original IP addresses (i.e. checksum delta is known), checksums
  will be computed incrementally. If IKEd didn't configured original
  addresses, UDP checksums will be reset to zero and TCP checksums will be
  ignored. When natt_cksum_policy isn't zero, checksums will be always
  fully recomputed.
  
  This allows to have NAT-T support for transport mode out of the box without
  any configuration from the user side.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c
  projects/ipsec/sys/netipsec/udpencap.c

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================

--- projects/ipsec/sys/netipsec/ipsec.c	Tue Jan 17 14:52:48 2017	(r312344)
+++ projects/ipsec/sys/netipsec/ipsec.c	Tue Jan 17 16:20:21 2017	(r312345)
@@ -152,9 +152,10 @@ VNET_DEFINE(int, crypto_support) = CRYPT
 /*
  * TCP/UDP checksum handling policy for transport mode NAT-T (RFC3948)
  *
- * 0 - incrementally recompute.
+ * 0 - auto: incrementally recompute, when checksum delta is known;
+ *     if checksum delta isn't known, reset checksum to zero for UDP,
+ *     and mark csum_flags as valid for TCP.
  * 1 - fully recompute TCP/UDP checksum.
- * 2 - for UDP reset checksum to zero; for TCP mark csum_flags as valid.
  */
 VNET_DEFINE(int, natt_cksum_policy) = 0;
 

Modified: projects/ipsec/sys/netipsec/udpencap.c
==============================================================================
--- projects/ipsec/sys/netipsec/udpencap.c	Tue Jan 17 14:52:48 2017	(r312344)
+++ projects/ipsec/sys/netipsec/udpencap.c	Tue Jan 17 16:20:21 2017	(r312345)
@@ -261,14 +261,25 @@ udp_ipsec_adjust_cksum(struct mbuf *m, s
 	else
 		off = offsetof(struct tcphdr, th_sum);
 
-	switch (V_natt_cksum_policy) {
-	case 0:	/* Incrementally recompute. */
-		if (sav->natt->cksum == 0) /* No OA from IKEd */
-			return;
-		m_copydata(m, skip + off, sizeof(cksum), (caddr_t)&cksum);
-		cksum = in_addword(cksum, sav->natt->cksum);
-		break;
-	case 1: /* Fully recompute */
+	if (V_natt_cksum_policy == 0) {	/* auto */
+		if (sav->natt->cksum != 0) {
+			/* Incrementally recompute. */
+			m_copydata(m, skip + off, sizeof(cksum),
+			    (caddr_t)&cksum);
+			cksum = in_addword(cksum, sav->natt->cksum);
+		} else {
+			/* No OA from IKEd. */
+			if (proto == IPPROTO_TCP) {
+				/* Ignore for TCP. */
+				m->m_pkthdr.csum_data = 0xffff;
+				m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID |
+				    CSUM_PSEUDO_HDR);
+				return;
+			}
+			cksum = 0; /* Reset for UDP. */
+		}
+		m_copyback(m, skip + off, sizeof(cksum), (caddr_t)&cksum);
+	} else { /* Fully recompute */
 		ip = mtod(m, struct ip *);
 		cksum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
 		    htons(m->m_pkthdr.len - skip + proto));
@@ -278,16 +289,6 @@ udp_ipsec_adjust_cksum(struct mbuf *m, s
 		m->m_pkthdr.csum_data = off;
 		in_delayed_cksum(m);
 		m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
-		return;
-	default:/* Reset for UDP, ignore for TCP */
-		if (proto == IPPROTO_UDP) {
-			cksum = 0;
-			break;
-		}
-		m->m_pkthdr.csum_data = 0xffff;
-		m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
-		return;
 	}
-	m_copyback(m, skip + off, sizeof(cksum), (caddr_t)&cksum);
 }
 
