Date: Fri, 15 Sep 2006 09:24:03 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Larry Baird <lab@gta.com>, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Cc: freebsd-net@freebsd.org Subject: Re: FAST_IPSEC NAT-T support Message-ID: <20060915082519.T44392@maildrop.int.zabbadoz.net> In-Reply-To: <20060914093034.A83805@gta.com> References: <20060914093034.A83805@gta.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, [just replying to a random mail of one of the various NAT-T threads at this point] I had started to review the code (to find some problems people had with the patch) and came up with the following so far. This work was done based on the old freebsd6-natt.diff which is no longer available:( but should equally apply to the new one. Here is what the patch[1] changes: - do not request more data to be collapsed into one contiguous data area of a mbuf than needed. sizeof(struct udphdr) is already included in off. - remove unused variable 'family' - the original patch did a m_dup() to get another writable copy (not only a reference) of the mbuf chain but did this after touching/changing data of the original mbuf. As it shouldn't matter in either case do it the right way and create the copy before moving data around so the original mbuf stays untouched. - After removing the UDP part correctly set the new ip_len. The value already is in hbo so arithmetics were wrong. The new value should not be needed by functions called (though they may change it too) but if we adjust it do it correctly. - NICs like bge(4) do support IP/TCP/UDP checksum offloading. That means once a natt packet hits udp_input a csum for the IP and UDP payload was already validated. UDP checksumming is generally optional so nobody really cares in case it's a) not requested and b) the NIC doesn't do it already. But in case the NIC does, the flags are set on the mbuf that the csum was/is correct. While this mbuf (or a 1:1 copy) is passed on to ESP handling and later for example TCP handlig the valid csum flags are still there but our paket has changed and of course the original checksum for the UDP natt part is no longer the same and valid for the TCP payload and thus the packet gets dropped. So clear the csum flags if set before handing the packet off to ESP processing. Now that it looks that finally all the bits and pieces are there for NAT-T support I'll continue the review as time permits. Greetings Bjoern References: [1] http://sources.zabbadoz.net/freebsd/ipv6/patches/natt-20060908-01-bz.diff -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060915082519.T44392>