Sure, fair enough. I was assuming there might be a reason of why tcp_filter was
always done after the data (not pseudo header) checksum. If there isn't (and
obviously the the possible MD5 checks are done before it too), then that's
definitely the right thing to do.
I'll resend. Though if you have the simpler change already lined up, I'll
happily refrain from sending it myself.
Frank
On 6/12/18, 3:03 PM, "Eric Dumazet" <eric.duma...@gmail.com> wrote:
On 06/12/2018 02:53 PM, van der Linden, Frank wrote:
> The convention seems to be to call tcp_checksum_complete after tcp_filter
has a chance to deal with the packet. I wanted to preserve that.
>
> If that is not a concern, then I agree that this is a far better way to
go.
>
> Frank
Given that we can drop the packet earlier from :
if (skb_checksum_init(skb, IPPROTO_TCP, inet_compute_pseudo))
goto csum_error;
I am quite sure we really do not care of tcp_filter() being
hit or not by packets with bad checksum.
Thanks
