From owner-freebsd-net@FreeBSD.ORG Fri Sep 15 09:25:13 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1269116A403 for ; Fri, 15 Sep 2006 09:25:13 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C37943D49 for ; Fri, 15 Sep 2006 09:25:11 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id F3C831FFF99; Fri, 15 Sep 2006 11:25:09 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 600491FFF7F; Fri, 15 Sep 2006 11:25:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id DBEB64448D6; Fri, 15 Sep 2006 09:24:03 +0000 (UTC) Date: Fri, 15 Sep 2006 09:24:03 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Larry Baird , VANHULLEBUS Yvan In-Reply-To: <20060914093034.A83805@gta.com> Message-ID: <20060915082519.T44392@maildrop.int.zabbadoz.net> References: <20060914093034.A83805@gta.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: freebsd-net@freebsd.org Subject: Re: FAST_IPSEC NAT-T support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 09:25:13 -0000 Hi, [just replying to a random mail of one of the various NAT-T threads at this point] I had started to review the code (to find some problems people had with the patch) and came up with the following so far. This work was done based on the old freebsd6-natt.diff which is no longer available:( but should equally apply to the new one. Here is what the patch[1] changes: - do not request more data to be collapsed into one contiguous data area of a mbuf than needed. sizeof(struct udphdr) is already included in off. - remove unused variable 'family' - the original patch did a m_dup() to get another writable copy (not only a reference) of the mbuf chain but did this after touching/changing data of the original mbuf. As it shouldn't matter in either case do it the right way and create the copy before moving data around so the original mbuf stays untouched. - After removing the UDP part correctly set the new ip_len. The value already is in hbo so arithmetics were wrong. The new value should not be needed by functions called (though they may change it too) but if we adjust it do it correctly. - NICs like bge(4) do support IP/TCP/UDP checksum offloading. That means once a natt packet hits udp_input a csum for the IP and UDP payload was already validated. UDP checksumming is generally optional so nobody really cares in case it's a) not requested and b) the NIC doesn't do it already. But in case the NIC does, the flags are set on the mbuf that the csum was/is correct. While this mbuf (or a 1:1 copy) is passed on to ESP handling and later for example TCP handlig the valid csum flags are still there but our paket has changed and of course the original checksum for the UDP natt part is no longer the same and valid for the TCP payload and thus the packet gets dropped. So clear the csum flags if set before handing the packet off to ESP processing. Now that it looks that finally all the bits and pieces are there for NAT-T support I'll continue the review as time permits. Greetings Bjoern References: [1] http://sources.zabbadoz.net/freebsd/ipv6/patches/natt-20060908-01-bz.diff -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT