[NETFILTER]: Convert conntrack/ipt_REJECT to new checksumming functions

Besides removing lots of duplicate code, all converted users benefit from improved HW checksum error handling. Tested with and without HW checksums in almost all combinations. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-04-06 17:19:24 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-04-10 01:25:42 -0400
commit: 96f6bf82ea3abc77d255d5d554df5f349651f6de (patch)
tree: 7050071415f6e0ab56ee6d9a51680b30c3876a94 /net/ipv4
parent: 422c346fad806e2abaeffac686860ebc98dfe33e (diff)
5 files changed, 13 insertions, 53 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
index 3021af0910f1..d8b14a9010a6 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -224,25 +224,14 @@ icmp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
        }
        /* See ip_conntrack_proto_tcp.c */
-        if (hooknum != NF_IP_PRE_ROUTING)
+        if (hooknum == NF_IP_PRE_ROUTING &&
-                goto checksum_skipped;
+            nf_ip_checksum(skb, hooknum, skb->nh.iph->ihl * 4, 0)) {
+                if (LOG_INVALID(IPPROTO_ICMP))
-        switch (skb->ip_summed) {
+                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
-        case CHECKSUM_HW:
+                                      "ip_ct_icmp: bad ICMP checksum ");
-                if (!(u16)csum_fold(skb->csum)) 
+                return -NF_ACCEPT;
-                        break;
-                /* fall through */
-        case CHECKSUM_NONE:
-                skb->csum = 0;
-                if (__skb_checksum_complete(skb)) {
-                        if (LOG_INVALID(IPPROTO_ICMP))
-                                nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
-                                              "ip_ct_icmp: bad ICMP checksum ");
-                        return -NF_ACCEPT;
-                }
        }
-checksum_skipped:
        /*
         *      18 is the highest 'known' ICMP type. Anything else is a mystery
         *
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index e0dc37063545..062b252b58ad 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -870,11 +870,8 @@ static int tcp_error(struct sk_buff *skb,
         * and moreover root might send raw packets.
         */
        /* FIXME: Source route IP option packets --RR */
-        if (hooknum == NF_IP_PRE_ROUTING
+        if (hooknum == NF_IP_PRE_ROUTING &&
-            && skb->ip_summed != CHECKSUM_UNNECESSARY
+            nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_TCP)) {
-            && csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
-                                 skb->ip_summed == CHECKSUM_HW ? skb->csum
-                                 : skb_checksum(skb, iph->ihl*4, tcplen, 0))) {
                if (LOG_INVALID(IPPROTO_TCP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_tcp: bad TCP checksum ");
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
index 55b7d3210adf..70899868783b 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
@@ -120,11 +120,8 @@ static int udp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
         * because the semantic of CHECKSUM_HW is different there 
         * and moreover root might send raw packets.
         * FIXME: Source route IP option packets --RR */
-        if (hooknum == NF_IP_PRE_ROUTING
+        if (hooknum == NF_IP_PRE_ROUTING &&
-            && skb->ip_summed != CHECKSUM_UNNECESSARY
+            nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_UDP)) {
-            && csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP,
-                                 skb->ip_summed == CHECKSUM_HW ? skb->csum
-                                 : skb_checksum(skb, iph->ihl*4, udplen, 0))) {
                if (LOG_INVALID(IPPROTO_UDP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_udp: bad UDP checksum ");
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 4269a5440d43..0bba3c2bb786 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -106,7 +106,6 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        struct rtable *rt;
        u_int16_t tmp_port;
        u_int32_t tmp_addr;
-        unsigned int tcplen;
        int needs_ack;
        int hh_len;
@@ -124,13 +123,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
                return;
        /* Check checksum */
-        tcplen = oldskb->len - iph->ihl * 4;
+        if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
-        if (((hook != NF_IP_LOCAL_IN && oldskb->ip_summed != CHECKSUM_HW) ||
-             (hook == NF_IP_LOCAL_IN &&
-              oldskb->ip_summed != CHECKSUM_UNNECESSARY)) &&
-            csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
-                              oldskb->ip_summed == CHECKSUM_HW ? oldskb->csum :
-                              skb_checksum(oldskb, iph->ihl * 4, tcplen, 0)))
                return;
        if ((rt = route_reverse(oldskb, oth, hook)) == NULL)
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 52dc175be39a..4b0d361cc6e6 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -235,30 +235,14 @@ icmp_error(struct sk_buff *skb, unsigned int dataoff,
        }
        /* See ip_conntrack_proto_tcp.c */
-        if (hooknum != NF_IP_PRE_ROUTING)
+        if (hooknum == NF_IP_PRE_ROUTING &&
-                goto checksum_skipped;
+            nf_ip_checksum(skb, hooknum, dataoff, 0)) {
-        switch (skb->ip_summed) {
-        case CHECKSUM_HW:
-                if (!(u16)csum_fold(skb->csum))
-                        break;
                if (LOG_INVALID(IPPROTO_ICMP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                      "nf_ct_icmp: bad HW ICMP checksum ");
                return -NF_ACCEPT;
-        case CHECKSUM_NONE:
-                if ((u16)csum_fold(skb_checksum(skb, 0, skb->len, 0))) {
-                        if (LOG_INVALID(IPPROTO_ICMP))
-                                nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-                                              NULL,
-                                              "nf_ct_icmp: bad ICMP checksum ");
-                        return -NF_ACCEPT;
-                }
-        default:
-                break;
        }
-checksum_skipped:
        /*
         *      18 is the highest 'known' ICMP type. Anything else is a mystery
         *
author	Patrick McHardy <kaber@trash.net>	2006-04-06 17:19:24 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-04-10 01:25:42 -0400
commit	96f6bf82ea3abc77d255d5d554df5f349651f6de (patch)
tree	7050071415f6e0ab56ee6d9a51680b30c3876a94 /net/ipv4
parent	422c346fad806e2abaeffac686860ebc98dfe33e (diff)

diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c index 3021af0910f1..d8b14a9010a6 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -224,25 +224,14 @@ icmp_error(struct sk_buff skb, enum ip_conntrack_info ctinfo,
224	}	224	}
225		225
226	/* See ip_conntrack_proto_tcp.c */	226	/* See ip_conntrack_proto_tcp.c */
227	if (hooknum != NF_IP_PRE_ROUTING)	227	if (hooknum == NF_IP_PRE_ROUTING &&
228	goto checksum_skipped;	228	nf_ip_checksum(skb, hooknum, skb->nh.iph->ihl * 4, 0)) {
229		229	if (LOG_INVALID(IPPROTO_ICMP))
230	switch (skb->ip_summed) {	230	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
231	case CHECKSUM_HW:	231	"ip_ct_icmp: bad ICMP checksum ");
232	if (!(u16)csum_fold(skb->csum))	232	return -NF_ACCEPT;
233	break;
234	/* fall through */
235	case CHECKSUM_NONE:
236	skb->csum = 0;
237	if (__skb_checksum_complete(skb)) {
238	if (LOG_INVALID(IPPROTO_ICMP))
239	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
240	"ip_ct_icmp: bad ICMP checksum ");
241	return -NF_ACCEPT;
242	}
243	}	233	}
244		234
245	checksum_skipped:
246	/*	235	/*
247	* 18 is the highest 'known' ICMP type. Anything else is a mystery	236	* 18 is the highest 'known' ICMP type. Anything else is a mystery
248	*	237	*


diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index e0dc37063545..062b252b58ad 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -870,11 +870,8 @@ static int tcp_error(struct sk_buff *skb,
870	* and moreover root might send raw packets.	870	* and moreover root might send raw packets.
871	*/	871	*/
872	/* FIXME: Source route IP option packets --RR */	872	/* FIXME: Source route IP option packets --RR */
873	if (hooknum == NF_IP_PRE_ROUTING	873	if (hooknum == NF_IP_PRE_ROUTING &&
874	&& skb->ip_summed != CHECKSUM_UNNECESSARY	874	nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_TCP)) {
875	&& csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
876	skb->ip_summed == CHECKSUM_HW ? skb->csum
877	: skb_checksum(skb, iph->ihl*4, tcplen, 0))) {
878	if (LOG_INVALID(IPPROTO_TCP))	875	if (LOG_INVALID(IPPROTO_TCP))
879	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,	876	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
880	"ip_ct_tcp: bad TCP checksum ");	877	"ip_ct_tcp: bad TCP checksum ");


diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c index 55b7d3210adf..70899868783b 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
@@ -120,11 +120,8 @@ static int udp_error(struct sk_buff skb, enum ip_conntrack_info ctinfo,
120	* because the semantic of CHECKSUM_HW is different there	120	* because the semantic of CHECKSUM_HW is different there
121	* and moreover root might send raw packets.	121	* and moreover root might send raw packets.
122	* FIXME: Source route IP option packets --RR */	122	* FIXME: Source route IP option packets --RR */
123	if (hooknum == NF_IP_PRE_ROUTING	123	if (hooknum == NF_IP_PRE_ROUTING &&
124	&& skb->ip_summed != CHECKSUM_UNNECESSARY	124	nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_UDP)) {
125	&& csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP,
126	skb->ip_summed == CHECKSUM_HW ? skb->csum
127	: skb_checksum(skb, iph->ihl*4, udplen, 0))) {
128	if (LOG_INVALID(IPPROTO_UDP))	125	if (LOG_INVALID(IPPROTO_UDP))
129	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,	126	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
130	"ip_ct_udp: bad UDP checksum ");	127	"ip_ct_udp: bad UDP checksum ");


diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 4269a5440d43..0bba3c2bb786 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -106,7 +106,6 @@ static void send_reset(struct sk_buff *oldskb, int hook)
106	struct rtable *rt;	106	struct rtable *rt;
107	u_int16_t tmp_port;	107	u_int16_t tmp_port;
108	u_int32_t tmp_addr;	108	u_int32_t tmp_addr;
109	unsigned int tcplen;
110	int needs_ack;	109	int needs_ack;
111	int hh_len;	110	int hh_len;
112		111
@@ -124,13 +123,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
124	return;	123	return;
125		124
126	/* Check checksum */	125	/* Check checksum */
127	tcplen = oldskb->len - iph->ihl * 4;	126	if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
128	if (((hook != NF_IP_LOCAL_IN && oldskb->ip_summed != CHECKSUM_HW) \|\|
129	(hook == NF_IP_LOCAL_IN &&
130	oldskb->ip_summed != CHECKSUM_UNNECESSARY)) &&
131	csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
132	oldskb->ip_summed == CHECKSUM_HW ? oldskb->csum :
133	skb_checksum(oldskb, iph->ihl * 4, tcplen, 0)))
134	return;	127	return;
135		128
136	if ((rt = route_reverse(oldskb, oth, hook)) == NULL)	129	if ((rt = route_reverse(oldskb, oth, hook)) == NULL)


diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 52dc175be39a..4b0d361cc6e6 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -235,30 +235,14 @@ icmp_error(struct sk_buff *skb, unsigned int dataoff,
235	}	235	}
236		236
237	/* See ip_conntrack_proto_tcp.c */	237	/* See ip_conntrack_proto_tcp.c */
238	if (hooknum != NF_IP_PRE_ROUTING)	238	if (hooknum == NF_IP_PRE_ROUTING &&
239	goto checksum_skipped;	239	nf_ip_checksum(skb, hooknum, dataoff, 0)) {
240
241	switch (skb->ip_summed) {
242	case CHECKSUM_HW:
243	if (!(u16)csum_fold(skb->csum))
244	break;
245	if (LOG_INVALID(IPPROTO_ICMP))	240	if (LOG_INVALID(IPPROTO_ICMP))
246	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,	241	nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
247	"nf_ct_icmp: bad HW ICMP checksum ");	242	"nf_ct_icmp: bad HW ICMP checksum ");
248	return -NF_ACCEPT;	243	return -NF_ACCEPT;
249	case CHECKSUM_NONE:
250	if ((u16)csum_fold(skb_checksum(skb, 0, skb->len, 0))) {
251	if (LOG_INVALID(IPPROTO_ICMP))
252	nf_log_packet(PF_INET, 0, skb, NULL, NULL,
253	NULL,
254	"nf_ct_icmp: bad ICMP checksum ");
255	return -NF_ACCEPT;
256	}
257	default:
258	break;
259	}	244	}
260		245
261	checksum_skipped:
262	/*	246	/*
263	* 18 is the highest 'known' ICMP type. Anything else is a mystery	247	* 18 is the highest 'known' ICMP type. Anything else is a mystery
264	*	248	*