Never mind, here is the answer: * PARTIAL: identical to the case for output below. This may occur * on a packet received directly from another Linux OS, e.g., * a virtualised Linux kernel on the same host. The packet can * be treated in the same way as UNNECESSARY except that on * output (i.e., forwarding) the checksum must be filled in * by the OS or the hardware. On Fri, Apr 26, 2013 at 2:51 PM, Jorge Ventura <jorge.araujo.ventura@xxxxxxxxx> wrote: > I have been doing many tests using xt_CHECKSUM and observed: > > When I have the check sum = 0, skb->ip_summed is equal to > CHECKSUM_COMPLETE and the xt_CHECKSUM does nothing but the packet > leave the host with correct check sum, what make sense because check > sum = 0 means "no check sum". > > The module should do something only when skb->ip_summed == > CHECKSUM_PARCIAL, that means someone else is taking care of fill out > the correct check sum. I removed the mangle rule using xt_CHECKSUM and > obviously the result was the same. > > I sent one packet with wrong check sum using the mangle rule and the > check sum was not fixed because skb->ip_summed == CHECKSUM_NONE. > > The only scenery that xt_CHECKSUM will do something is "bad checksum" > and "skb->ip_summed == CHECKSUM_PARCIAL". In real world, what > situation is that ??? > > On Fri, Apr 19, 2013 at 7:18 AM, Patrick McHardy <kaber@xxxxxxxxx> wrote: >> On Thu, Apr 18, 2013 at 10:48:38AM -0500, Jorge Ventura wrote: >>> Dear nf devels, >>> I am trying to use the xt_CHECKSUM module to fix an UDP packet that >>> it's comming with check sum error. I have an iptables firewall with >>> two ethernet cards (eth0 private and eth1 public), all ethernet >>> offload parameters are off in both ethernet cards and >>> nf_conntrack_checksum = 0. >>> >>> This is my iptables rule to fix the checksum: >>> >>> iptables -A POSTROUTING -t mangle -p udp --dport 162 -j CHECKSUM --checksum-fill >>> >>> The trafic resulting when the single UDP packet is received using tcpdump: >>> >>> input at eth1 (public): [src ip].1046 > [eth1 public ip].162: [bad >>> udp cksum ff!] >>> output at eth0 (private): [src ip].1046 > [eth0 private ip].162: [bad >>> udp cksum ff!] >>> >>> I did use printk inside the module to see what do I have at >>> skb->ip_summed and I observed that the value is CHECKSUM_NONE, however >>> to have the checksum fixed by the function checksum_tg, this value >>> should be CHECKSUM_PARTIAL. >>> >>> Please let me know if I am miss understanding the way that >>> --checksum-fill is handled by xt_CHECKSUM module. >> >> The target can only compute proper checksums for packets which have no >> checksum set. If it is already set, the value will get included in the >> calculation and the result will be wrong. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
