- skb_checksum_setup can only handle TCP/UDP protocols under top level IP header, packets with other protocols (like GRE) are sent out by Wireguard with unfinished partial checksums which causes problems on receiving side (bad checksums).
- skb_encrypt gets skb prepared by network stack, so there is no need to setup the checksum from scratch, but just perform hw checksum offload using software helper skb_checksum_help for packet which explicitly require it as denoted by CHECKSUM_PARTIAL. Signed-off-by: Andrejs Hanins <ahan...@gmail.com> --- src/send.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/send.c b/src/send.c index 3af7ef3..1d021ae 100644 --- a/src/send.c +++ b/src/send.c @@ -151,9 +151,9 @@ static inline bool skb_encrypt(struct sk_buff *skb, struct noise_keypair *keypai if (unlikely(skb_cow_head(skb, DATA_PACKET_HEAD_ROOM) < 0)) return false; - /* We have to remember to add the checksum to the innerpacket, in case the receiver forwards it. */ - if (likely(!skb_checksum_setup(skb, true))) - skb_checksum_help(skb); + /* Finalize checksum calculation for the inner packet, if required. */ + if (skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_help(skb)) + return false; /* Only after checksumming can we safely add on the padding at the end and the header. */ skb_set_inner_network_header(skb, 0); -- 2.17.1 _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard