]> git.baikalelectronics.ru Git - kernel.git/commit
netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields
authorPablo Neira Ayuso <pablo@netfilter.org>
Thu, 24 Nov 2016 11:04:55 +0000 (12:04 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 6 Dec 2016 20:47:54 +0000 (21:47 +0100)
commit1814096980bbe546c4384b7b064126cbe7d40d30
tree60b487a40c3af0f581b97928d508ade027d8cdb0
parente0ffdbc78d84e1da090f03ab62da3def0e65159e
netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

This patch adds a new flag that signals the kernel to update layer 4
checksum if the packet field belongs to the layer 4 pseudoheader. This
implicitly provides stateless NAT 1:1 that is useful under very specific
usecases.

Since rules mangling layer 3 fields that are part of the pseudoheader
may potentially convey any layer 4 packet, we have to deal with the
layer 4 checksum adjustment using protocol specific code.

This patch adds support for TCP, UDP and ICMPv6, since they include the
pseudoheader in the layer 4 checksum calculation. ICMP doesn't, so we
can skip it.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_tables_core.h
include/uapi/linux/netfilter/nf_tables.h
net/netfilter/nft_payload.c