Currently, the reassembly code drops bad checksum (non fragmented)
packets before those reach the conntrack code.
This is not something one would expect from ipf_is_valid_v4_frag() /
ipf_extract_frags_from_batch() functions.
While at it, add coverage counters so that checksum validation impact
can be monitored.
Signed-off-by: David Marchand <david.march...@redhat.com>
---
lib/ipf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/lib/ipf.c b/lib/ipf.c
index b76181e793..0066aeb50b 100644
--- a/lib/ipf.c
+++ b/lib/ipf.c
@@ -36,6 +36,7 @@
VLOG_DEFINE_THIS_MODULE(ipf);
COVERAGE_DEFINE(ipf_stuck_frag_list_purged);
+COVERAGE_DEFINE(ipf_l3csum_checked);
COVERAGE_DEFINE(ipf_l3csum_err);
enum {
@@ -583,11 +584,6 @@ ipf_list_state_transition(struct ipf *ipf, struct ipf_list
*ipf_list,
static bool
ipf_is_valid_v4_frag(struct ipf *ipf, struct dp_packet *pkt)
{
- if (OVS_UNLIKELY(dp_packet_ip_checksum_bad(pkt))) {
- COVERAGE_INC(ipf_l3csum_err);
- goto invalid_pkt;
- }
-
const struct eth_header *l2 = dp_packet_eth(pkt);
const struct ip_header *l3 = dp_packet_l3(pkt);
@@ -617,8 +613,12 @@ ipf_is_valid_v4_frag(struct ipf *ipf, struct dp_packet
*pkt)
goto invalid_pkt;
}
- if (OVS_UNLIKELY(!dp_packet_ip_checksum_good(pkt)
- && csum(l3, ip_hdr_len) != 0)) {
+ bool bad_csum = dp_packet_ip_checksum_bad(pkt);
+ if (OVS_UNLIKELY(!bad_csum && !dp_packet_ip_checksum_good(pkt))) {
+ COVERAGE_INC(ipf_l3csum_checked);
+ bad_csum = csum(l3, ip_hdr_len);
+ }
+ if (OVS_UNLIKELY(bad_csum)) {
COVERAGE_INC(ipf_l3csum_err);
goto invalid_pkt;
}
--
2.48.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
