[NETFILTER]: Add address family specific checksum helpers

Add checksum operation which takes care of verifying the checksum and
dealing with HW checksum errors and avoids multiple checksum
operations by setting ip_summed to CHECKSUM_UNNECESSARY after
successful verification.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 6ee168c..b31a9bc 100644 (file)
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -285,6 +285,8 @@ extern int skb_make_writable(struct sk_buff **pskb, unsigned int writable_len);
 
 struct nf_afinfo {
        unsigned short  family;
+       unsigned int    (*checksum)(struct sk_buff *skb, unsigned int hook,
+                                   unsigned int dataoff, u_int8_t protocol);
        void            (*saveroute)(const struct sk_buff *skb,
                                     struct nf_info *info);
        int             (*reroute)(struct sk_buff **skb,
@@ -298,6 +300,21 @@ static inline struct nf_afinfo *nf_get_afinfo(unsigned short family)
        return rcu_dereference(nf_afinfo[family]);
 }
 
+static inline unsigned int
+nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
+           u_int8_t protocol, unsigned short family)
+{
+       struct nf_afinfo *afinfo;
+       unsigned int csum = 0;
+
+       rcu_read_lock();
+       afinfo = nf_get_afinfo(family);
+       if (afinfo)
+               csum = afinfo->checksum(skb, hook, dataoff, protocol);
+       rcu_read_unlock();
+       return csum;
+}
+
 extern int nf_register_afinfo(struct nf_afinfo *afinfo);
 extern void nf_unregister_afinfo(struct nf_afinfo *afinfo);
 

diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 43c09d7..85301c5 100644 (file)
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -80,6 +80,8 @@ enum nf_ip_hook_priorities {
 #ifdef __KERNEL__
 extern int ip_route_me_harder(struct sk_buff **pskb);
 extern int ip_xfrm_me_harder(struct sk_buff **pskb);
+extern unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+                                  unsigned int dataoff, u_int8_t protocol);
 #endif /*__KERNEL__*/
 
 #endif /*__LINUX_IP_NETFILTER_H*/

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 14f2bd0..52a7b9e 100644 (file)
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -73,6 +73,9 @@ enum nf_ip6_hook_priorities {
 };
 
 #ifdef CONFIG_NETFILTER
+extern unsigned int nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
+                                   unsigned int dataoff, u_int8_t protocol);
+
 extern int ipv6_netfilter_init(void);
 extern void ipv6_netfilter_fini(void);
 #else /* CONFIG_NETFILTER */

diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index b25339c..6a9e34b 100644 (file)
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -161,8 +161,41 @@ static int nf_ip_reroute(struct sk_buff **pskb, const struct nf_info *info)
        return 0;
 }
 
+unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+                           unsigned int dataoff, u_int8_t protocol)
+{
+       struct iphdr *iph = skb->nh.iph;
+       unsigned int csum = 0;
+
+       switch (skb->ip_summed) {
+       case CHECKSUM_HW:
+               if (hook != NF_IP_PRE_ROUTING && hook != NF_IP_LOCAL_IN)
+                       break;
+               if ((protocol == 0 && !(u16)csum_fold(skb->csum)) ||
+                   !csum_tcpudp_magic(iph->saddr, iph->daddr,
+                                      skb->len - dataoff, protocol,
+                                      skb->csum)) {
+                       skb->ip_summed = CHECKSUM_UNNECESSARY;
+                       break;
+               }
+               /* fall through */
+       case CHECKSUM_NONE:
+               if (protocol == 0)
+                       skb->csum = 0;
+               else
+                       skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
+                                                      skb->len - dataoff,
+                                                      protocol, 0);
+               csum = __skb_checksum_complete(skb);
+       }
+       return csum;
+}
+
+EXPORT_SYMBOL(nf_ip_checksum);
+
 static struct nf_afinfo nf_ip_afinfo = {
        .family         = AF_INET,
+       .checksum       = nf_ip_checksum,
        .saveroute      = nf_ip_saveroute,
        .reroute        = nf_ip_reroute,
        .route_key_size = sizeof(struct ip_rt_info),

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index f514a01..3e9ecfa 100644 (file)
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -79,8 +79,42 @@ static int nf_ip6_reroute(struct sk_buff **pskb, const struct nf_info *info)
        return 0;
 }
 
+unsigned int nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
+                            unsigned int dataoff, u_int8_t protocol)
+{
+       struct ipv6hdr *ip6h = skb->nh.ipv6h;
+       unsigned int csum = 0;
+
+       switch (skb->ip_summed) {
+       case CHECKSUM_HW:
+               if (hook != NF_IP6_PRE_ROUTING && hook != NF_IP6_LOCAL_IN)
+                       break;
+               if (!csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
+                                    skb->len - dataoff, protocol,
+                                    csum_sub(skb->csum,
+                                             skb_checksum(skb, 0,
+                                                          dataoff, 0)))) {
+                       skb->ip_summed = CHECKSUM_UNNECESSARY;
+                       break;
+               }
+               /* fall through */
+       case CHECKSUM_NONE:
+               skb->csum = ~csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
+                                            skb->len - dataoff,
+                                            protocol,
+                                            csum_sub(0,
+                                                     skb_checksum(skb, 0,
+                                                                  dataoff, 0)));
+               csum = __skb_checksum_complete(skb);
+       }
+       return csum;
+}
+
+EXPORT_SYMBOL(nf_ip6_checksum);
+
 static struct nf_afinfo nf_ip6_afinfo = {
        .family         = AF_INET6,
+       .checksum       = nf_ip6_checksum,
        .saveroute      = nf_ip6_saveroute,
        .reroute        = nf_ip6_reroute,
        .route_key_size = sizeof(struct ip6_rt_info),