Gotcha. Thank you. On Fri, Apr 19, 2013 at 7:18 AM, Patrick McHardy <kaber@xxxxxxxxx> wrote: > On Thu, Apr 18, 2013 at 10:48:38AM -0500, Jorge Ventura wrote: >> Dear nf devels, >> I am trying to use the xt_CHECKSUM module to fix an UDP packet that >> it's comming with check sum error. I have an iptables firewall with >> two ethernet cards (eth0 private and eth1 public), all ethernet >> offload parameters are off in both ethernet cards and >> nf_conntrack_checksum = 0. >> >> This is my iptables rule to fix the checksum: >> >> iptables -A POSTROUTING -t mangle -p udp --dport 162 -j CHECKSUM --checksum-fill >> >> The trafic resulting when the single UDP packet is received using tcpdump: >> >> input at eth1 (public): [src ip].1046 > [eth1 public ip].162: [bad >> udp cksum ff!] >> output at eth0 (private): [src ip].1046 > [eth0 private ip].162: [bad >> udp cksum ff!] >> >> I did use printk inside the module to see what do I have at >> skb->ip_summed and I observed that the value is CHECKSUM_NONE, however >> to have the checksum fixed by the function checksum_tg, this value >> should be CHECKSUM_PARTIAL. >> >> Please let me know if I am miss understanding the way that >> --checksum-fill is handled by xt_CHECKSUM module. > > The target can only compute proper checksums for packets which have no > checksum set. If it is already set, the value will get included in the > calculation and the result will be wrong. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
