3 files changed, 87 insertions, 0 deletions

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index aa2f106347e4..5fb8efa84df3 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -326,6 +326,22 @@ config NETFILTER_XT_CONNMARK
 
 comment "Xtables targets"
 
+config NETFILTER_XT_TARGET_CHECKSUM
+        tristate "CHECKSUM target support"
+        depends on IP_NF_MANGLE || IP6_NF_MANGLE
+        depends on NETFILTER_ADVANCED
+        ---help---
+          This option adds a `CHECKSUM' target, which can be used in the iptables mangle
+          table.
+
+          You can use this target to compute and fill in the checksum in
+          a packet that lacks a checksum.  This is particularly useful,
+          if you need to work around old applications such as dhcp clients,
+          that do not work well with checksum offloads, but don't want to disable
+          checksum offload in your device.
+
+          To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_TARGET_CLASSIFY
         tristate '"CLASSIFY" target support'
         depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index e28420aac5ef..36ef8e63be1e 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
 
 # targets
+obj-$(CONFIG_NETFILTER_XT_TARGET_CHECKSUM) += xt_CHECKSUM.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
new file mode 100644
index 000000000000..0f642ef8cd26
--- /dev/null
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -0,0 +1,70 @@
+/* iptables module for the packet checksum mangling
+ *
+ * (C) 2002 by Harald Welte <laforge@netfilter.org>
+ * (C) 2010 Red Hat, Inc.
+ *
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_CHECKSUM.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
+MODULE_DESCRIPTION("Xtables: checksum modification");
+MODULE_ALIAS("ipt_CHECKSUM");
+MODULE_ALIAS("ip6t_CHECKSUM");
+
+static unsigned int
+checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        if (skb->ip_summed == CHECKSUM_PARTIAL)
+                skb_checksum_help(skb);
+
+        return XT_CONTINUE;
+}
+
+static int checksum_tg_check(const struct xt_tgchk_param *par)
+{
+        const struct xt_CHECKSUM_info *einfo = par->targinfo;
+
+        if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
+                pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
+                return -EINVAL;
+        }
+        if (!einfo->operation) {
+                pr_info("no CHECKSUM operation enabled\n");
+                return -EINVAL;
+        }
+        return 0;
+}
+
+static struct xt_target checksum_tg_reg __read_mostly = {
+        .name           = "CHECKSUM",
+        .family         = NFPROTO_UNSPEC,
+        .target         = checksum_tg,
+        .targetsize     = sizeof(struct xt_CHECKSUM_info),
+        .table          = "mangle",
+        .checkentry     = checksum_tg_check,
+        .me             = THIS_MODULE,
+};
+
+static int __init checksum_tg_init(void)
+{
+        return xt_register_target(&checksum_tg_reg);
+}
+
+static void __exit checksum_tg_exit(void)
+{
+        xt_unregister_target(&checksum_tg_reg);
+}
+
+module_init(checksum_tg_init);
+module_exit(checksum_tg_exit);