Hi. When using nfqueue, userspace currently has no way to tell wheter queued packets have a bad checksum, i.e. applications that need data integrity must do full checksum validation in userspace (except maybe when only queueing in OUTPUT). However, there are several places where incoming packets are already checksummed in kernel, before packet hits nfqueue, e.g. via nic rx csum offload, or in conntrack. So I think it would be nice to provide a hint that kernel already did checksumming. The SKB_INFO attribute added in -net for GRO support seems like a candidate. However, since 'already checksummed' is the common case this would mean adding that attribute most of the time. Unless we would do the opposite hint, i.e. tell userspace when checksumming has NOT been performed yet. Such change would however need to go into -net, else userspace can't tell 'checksum ok' from 'kernel too old to provide flag in SKB_INFO attribute'. Following patch illustrates what I had in mind, adding hint for incoming packets and packets that are most likely not locally generated (forwarded packet in POSTROUTING). Comments appreciated. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
