Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 00bd1cc2 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: nfnetlink_queue: avoid expensive gso segmentation and checksum fixup 



Userspace can now indicate that it can cope with larger-than-mtu sized
packets and packets that have invalid ipv4/tcp checksums.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7237190d

include/uapi/linux/netfilter/nfnetlink_queue.h

+2 −1
Original line number Diff line number Diff line
@@ -97,7 +97,8 @@ enum nfqnl_attr_config { 
/* Flags for NFQA_CFG_FLAGS */

#define NFQA_CFG_F_FAIL_OPEN			(1 << 0)

#define NFQA_CFG_F_CONNTRACK			(1 << 1)

#define NFQA_CFG_F_MAX				(1 << 2)

#define NFQA_CFG_F_GSO				(1 << 2)

#define NFQA_CFG_F_MAX				(1 << 3)



/* flags for NFQA_SKB_INFO */

/* packet appears to have wrong checksums, but they are ok */

net/netfilter/nfnetlink_queue_core.c

+3 −2
Original line number Diff line number Diff line
@@ -327,7 +327,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, 
		break;



	case NFQNL_COPY_PACKET:

		if (entskb->ip_summed == CHECKSUM_PARTIAL &&

		if (!(queue->flags & NFQA_CFG_F_GSO) &&

		    entskb->ip_summed == CHECKSUM_PARTIAL &&

		    skb_checksum_help(entskb))

			return NULL;
@@ -636,7 +637,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) 
	if (queue->copy_mode == NFQNL_COPY_NONE)

		return -EINVAL;



	if (!skb_is_gso(entry->skb))

	if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(entry->skb))

		return __nfqnl_enqueue_packet(net, queue, entry);



	skb = entry->skb;