ip_input - chksum - why is it done so early in ip_input?

[Andre Oppermann]

Sten Daniel Sørsdal wrote:
> 
> Apologies for the cross-post, i wasnt sure if this was hackers or net material.
> 
> I've often wondered why ip checksumming is done on every incoming
> packet and not only on the packets that need to be delivered locally.

Only the IP header checksum is checked.  We don't want to forward
a packet with a broken header because we can't be sure if it wasn't
the destination address that is broken.

Be aware that we do not calculate any checksum of the entire IP packet.
(This is up to the higher level protocol).

> It looks like a very expensive way of doing it, especially on high
> PPS. Basically all hosts do checksumming so why not just pass the bad
> packet on, making the forward process alot cheaper (cpu wise)?

On modern networks card (mostly GigE) you have hardware support for
that.  So there is no expense anymore.

> I ran some tests (unable to disclose results) by removing it completely
> and it seems to make a noticable impact on the performance.

Can you qualify this more?  The checksumming touches only 20 bytes
(or a couple more if ip options are present).

> Especially on for example gaming services where there is a high PPS versus
> actual data.
> 
> Besides that i'd like to add that FreeBSD has the fastest forwarding engine
> i've seen on any free OS. It's in my opinion a very suitable OS for
> routing/forwarding.

We are working on it to make it even faster.  If you are using 5.2 or
-current you get the first step of it by enabling net.inet.ip.fastfowarding.
This is a newly written fast path for packet forwarding. (Do not do this
on 4.9 because that is the old ip_flow code).

-- 
Andre