FAST_IPSEC NAT-T support
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Fri Sep 15 02:25:13 PDT 2006
[just replying to a random mail of one of the various NAT-T threads
at this point]
I had started to review the code (to find some problems people had
with the patch) and came up with the following so far. This work
was done based on the old freebsd6-natt.diff which is no longer
available:( but should equally apply to the new one.
Here is what the patch changes:
- do not request more data to be collapsed into one contiguous data
area of a mbuf than needed. sizeof(struct udphdr) is already
included in off.
- remove unused variable 'family'
- the original patch did a m_dup() to get another writable copy (not
only a reference) of the mbuf chain but did this after touching/changing
data of the original mbuf. As it shouldn't matter in either case do
it the right way and create the copy before moving data around so the
original mbuf stays untouched.
- After removing the UDP part correctly set the new ip_len. The value
already is in hbo so arithmetics were wrong. The new value should not
be needed by functions called (though they may change it too) but if
we adjust it do it correctly.
- NICs like bge(4) do support IP/TCP/UDP checksum offloading. That
means once a natt packet hits udp_input a csum for the IP and UDP
payload was already validated.
UDP checksumming is generally optional so nobody really cares in
case it's a) not requested and b) the NIC doesn't do it already.
But in case the NIC does, the flags are set on the mbuf that the
csum was/is correct.
While this mbuf (or a 1:1 copy) is passed on to ESP handling and
later for example TCP handlig the valid csum flags are still there
but our paket has changed and of course the original checksum for
the UDP natt part is no longer the same and valid for the TCP
payload and thus the packet gets dropped.
So clear the csum flags if set before handing the packet off to
Now that it looks that finally all the bits and pieces are there for
NAT-T support I'll continue the review as time permits.
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
More information about the freebsd-net