Hi Jean-Michel, can you please test again with Yoshifuji's patches and attached patch? I think csum16_add() is still not proper, we would also need a carry bit if "result < a". We better use the internal checksum functions if possible... Cheers Ulrich
>From 40e0c6d86514a8dcc80f18fbe8a2945c6ee78f6d Mon Sep 17 00:00:00 2001 From: Ulrich Weber <ulrich.weber@xxxxxxxxxx> Date: Tue, 29 Jan 2013 15:24:21 +0100 Subject: [PATCH] netfilter: ip6t_NTP: Use onces complement of csum_fold we need a 16bit value but not folded Signed-off-by: Ulrich Weber <ulrich.weber@xxxxxxxxxx> --- net/ipv6/netfilter/ip6t_NPT.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c index 74e171d..61a9b95 100644 --- a/net/ipv6/netfilter/ip6t_NPT.c +++ b/net/ipv6/netfilter/ip6t_NPT.c @@ -35,7 +35,7 @@ static int ip6t_npt_checkentry(const struct xt_tgchk_param *par) src_sum = csum_partial(&npt->src_pfx.in6, sizeof(npt->src_pfx.in6), 0); dst_sum = csum_partial(&npt->dst_pfx.in6, sizeof(npt->dst_pfx.in6), 0); - npt->adjustment = csum_fold(csum_sub(src_sum, dst_sum)); + npt->adjustment = ~csum_fold(csum_sub(src_sum, dst_sum)); return 0; } @@ -71,8 +71,8 @@ static bool ip6t_npt_map_pfx(const struct ip6t_npt_tginfo *npt, return false; } - sum = csum_fold(csum_add(csum_unfold((__force __sum16)addr->s6_addr16[idx]), - csum_unfold(npt->adjustment))); + sum = ~csum_fold(csum_add(csum_unfold((__force __sum16)addr->s6_addr16[idx]), + csum_unfold(npt->adjustment))); if (sum == CSUM_MANGLED_0) sum = 0; *(__force __sum16 *)&addr->s6_addr16[idx] = sum; -- 1.7.9.5
