Commit 8f8a85b8 authored by fan.du's avatar fan.du Committed by Willy Tarreau

{pktgen, xfrm} Update IPv4 header total len and checksum after tranformation

[ Upstream commit 3868204d ]

commit a553e4a6 ("[PKTGEN]: IPSEC support")
tried to support IPsec ESP transport transformation for pktgen, but acctually
this doesn't work at all for two reasons(The orignal transformed packet has
bad IPv4 checksum value, as well as wrong auth value, reported by wireshark)

- After transpormation, IPv4 header total length needs update,
  because encrypted payload's length is NOT same as that of plain text.

- After transformation, IPv4 checksum needs re-caculate because of payload
  has been changed.

With this patch, armmed pktgen with below cofiguration, Wireshark is able to
decrypted ESP packet generated by pktgen without any IPv4 checksum error or
auth value error.

pgset "flag IPSEC"
pgset "flows 1"
Signed-off-by: default avatarFan Du <fan.du@windriver.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent b9e0d1d1
...@@ -2495,6 +2495,8 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, ...@@ -2495,6 +2495,8 @@ static int process_ipsec(struct pktgen_dev *pkt_dev,
if (x) { if (x) {
int ret; int ret;
__u8 *eth; __u8 *eth;
struct iphdr *iph;
nhead = x->props.header_len - skb_headroom(skb); nhead = x->props.header_len - skb_headroom(skb);
if (nhead > 0) { if (nhead > 0) {
ret = pskb_expand_head(skb, nhead, 0, GFP_ATOMIC); ret = pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
...@@ -2517,6 +2519,11 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, ...@@ -2517,6 +2519,11 @@ static int process_ipsec(struct pktgen_dev *pkt_dev,
eth = (__u8 *) skb_push(skb, ETH_HLEN); eth = (__u8 *) skb_push(skb, ETH_HLEN);
memcpy(eth, pkt_dev->hh, 12); memcpy(eth, pkt_dev->hh, 12);
*(u16 *) &eth[12] = protocol; *(u16 *) &eth[12] = protocol;
/* Update IPv4 header len as well as checksum value */
iph = ip_hdr(skb);
iph->tot_len = htons(skb->len - ETH_HLEN);
ip_send_check(iph);
} }
} }
return 1; return 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment