[NETFILTER]: Add partial checksum validation helper
authorPatrick McHardy <kaber@trash.net>
Thu, 20 Mar 2008 14:15:53 +0000 (15:15 +0100)
committerPatrick McHardy <kaber@trash.net>
Mon, 14 Apr 2008 09:15:49 +0000 (11:15 +0200)
Move the UDP-Lite conntrack checksum validation to a generic helper
similar to nf_checksum() and make it fall back to nf_checksum()
in case the full packet is to be checksummed and hardware checksums
are available. This is to be used by DCCP conntrack, which also
needs to verify partial checksums.

Signed-off-by: Patrick McHardy <kaber@trash.net>
include/linux/netfilter.h
net/ipv4/netfilter.c
net/ipv6/netfilter.c
net/netfilter/nf_conntrack_proto_udplite.c

index 66bc52060fd63f3bf759505cd5cc923965a11332..e4c66593b5c697f32d140cdc34a121c1173425d9 100644 (file)
@@ -234,6 +234,11 @@ struct nf_afinfo {
        unsigned short  family;
        __sum16         (*checksum)(struct sk_buff *skb, unsigned int hook,
                                    unsigned int dataoff, u_int8_t protocol);
+       __sum16         (*checksum_partial)(struct sk_buff *skb,
+                                           unsigned int hook,
+                                           unsigned int dataoff,
+                                           unsigned int len,
+                                           u_int8_t protocol);
        int             (*route)(struct dst_entry **dst, struct flowi *fl);
        void            (*saveroute)(const struct sk_buff *skb,
                                     struct nf_queue_entry *entry);
@@ -263,6 +268,23 @@ nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
        return csum;
 }
 
+static inline __sum16
+nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+                   unsigned int dataoff, unsigned int len,
+                   u_int8_t protocol, unsigned short family)
+{
+       const struct nf_afinfo *afinfo;
+       __sum16 csum = 0;
+
+       rcu_read_lock();
+       afinfo = nf_get_afinfo(family);
+       if (afinfo)
+               csum = afinfo->checksum_partial(skb, hook, dataoff, len,
+                                               protocol);
+       rcu_read_unlock();
+       return csum;
+}
+
 extern int nf_register_afinfo(const struct nf_afinfo *afinfo);
 extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
 
index 9a904c6c0dc8d0d72244ecac2c53ce49cf68cb65..f8edacdf991df1d74fac5e0bafad89c9caa481ce 100644 (file)
@@ -182,21 +182,44 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
        }
        return csum;
 }
-
 EXPORT_SYMBOL(nf_ip_checksum);
 
+static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
+                                     unsigned int dataoff, unsigned int len,
+                                     u_int8_t protocol)
+{
+       const struct iphdr *iph = ip_hdr(skb);
+       __sum16 csum = 0;
+
+       switch (skb->ip_summed) {
+       case CHECKSUM_COMPLETE:
+               if (len == skb->len - dataoff)
+                       return nf_ip_checksum(skb, hook, dataoff, protocol);
+               /* fall through */
+       case CHECKSUM_NONE:
+               skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr, protocol,
+                                              skb->len - dataoff, 0);
+               skb->ip_summed = CHECKSUM_NONE;
+               csum = __skb_checksum_complete_head(skb, dataoff + len);
+               if (!csum)
+                       skb->ip_summed = CHECKSUM_UNNECESSARY;
+       }
+       return csum;
+}
+
 static int nf_ip_route(struct dst_entry **dst, struct flowi *fl)
 {
        return ip_route_output_key(&init_net, (struct rtable **)dst, fl);
 }
 
 static const struct nf_afinfo nf_ip_afinfo = {
-       .family         = AF_INET,
-       .checksum       = nf_ip_checksum,
-       .route          = nf_ip_route,
-       .saveroute      = nf_ip_saveroute,
-       .reroute        = nf_ip_reroute,
-       .route_key_size = sizeof(struct ip_rt_info),
+       .family                 = AF_INET,
+       .checksum               = nf_ip_checksum,
+       .checksum_partial       = nf_ip_checksum_partial,
+       .route                  = nf_ip_route,
+       .saveroute              = nf_ip_saveroute,
+       .reroute                = nf_ip_reroute,
+       .route_key_size         = sizeof(struct ip_rt_info),
 };
 
 static int ipv4_netfilter_init(void)
index aed51bcc66b44d5df82bd05775d674333a9e09c0..8c6c5e71f2102775e8215cfb29d9c2845bb1d79a 100644 (file)
@@ -121,16 +121,44 @@ __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
        }
        return csum;
 }
-
 EXPORT_SYMBOL(nf_ip6_checksum);
 
+static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
+                                      unsigned int dataoff, unsigned int len,
+                                      u_int8_t protocol)
+{
+       struct ipv6hdr *ip6h = ipv6_hdr(skb);
+       __wsum hsum;
+       __sum16 csum = 0;
+
+       switch (skb->ip_summed) {
+       case CHECKSUM_COMPLETE:
+               if (len == skb->len - dataoff)
+                       return nf_ip6_checksum(skb, hook, dataoff, protocol);
+               /* fall through */
+       case CHECKSUM_NONE:
+               hsum = skb_checksum(skb, 0, dataoff, 0);
+               skb->csum = ~csum_unfold(csum_ipv6_magic(&ip6h->saddr,
+                                                        &ip6h->daddr,
+                                                        skb->len - dataoff,
+                                                        protocol,
+                                                        csum_sub(0, hsum)));
+               skb->ip_summed = CHECKSUM_NONE;
+               csum = __skb_checksum_complete_head(skb, dataoff + len);
+               if (!csum)
+                       skb->ip_summed = CHECKSUM_UNNECESSARY;
+       }
+       return csum;
+};
+
 static const struct nf_afinfo nf_ip6_afinfo = {
-       .family         = AF_INET6,
-       .checksum       = nf_ip6_checksum,
-       .route          = nf_ip6_route,
-       .saveroute      = nf_ip6_saveroute,
-       .reroute        = nf_ip6_reroute,
-       .route_key_size = sizeof(struct ip6_rt_info),
+       .family                 = AF_INET6,
+       .checksum               = nf_ip6_checksum,
+       .checksum_partial       = nf_ip6_checksum_partial,
+       .route                  = nf_ip6_route,
+       .saveroute              = nf_ip6_saveroute,
+       .reroute                = nf_ip6_reroute,
+       .route_key_size         = sizeof(struct ip6_rt_info),
 };
 
 int __init ipv6_netfilter_init(void)
index 9dd03c7aeac6da64283e8cfe847204e77701e31e..c3eaee6afffd12d32819d7d58b3ba4d3a710a228 100644 (file)
@@ -127,32 +127,13 @@ static int udplite_error(struct sk_buff *skb, unsigned int dataoff,
        }
 
        /* Checksum invalid? Ignore. */
-       if (nf_conntrack_checksum && !skb_csum_unnecessary(skb) &&
-           hooknum == NF_INET_PRE_ROUTING) {
-               if (pf == PF_INET) {
-                       struct iphdr *iph = ip_hdr(skb);
-
-                       skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
-                                                      udplen, IPPROTO_UDPLITE, 0);
-               } else {
-                       struct ipv6hdr *ipv6h = ipv6_hdr(skb);
-                       __wsum hsum = skb_checksum(skb, 0, dataoff, 0);
-
-                       skb->csum = ~csum_unfold(
-                               csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
-                                               udplen, IPPROTO_UDPLITE,
-                                               csum_sub(0, hsum)));
-               }
-
-               skb->ip_summed = CHECKSUM_NONE;
-               if (__skb_checksum_complete_head(skb, dataoff + cscov)) {
-                       if (LOG_INVALID(IPPROTO_UDPLITE))
-                               nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
-                                             "nf_ct_udplite: bad UDPLite "
-                                             "checksum ");
-                       return -NF_ACCEPT;
-               }
-               skb->ip_summed = CHECKSUM_UNNECESSARY;
+       if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
+           nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,
+                               pf)) {
+               if (LOG_INVALID(IPPROTO_UDPLITE))
+                       nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+                                     "nf_ct_udplite: bad UDPLite checksum ");
+               return -NF_ACCEPT;
        }
 
        return NF_ACCEPT;