On 2/09/2015, at 4:02 PM, Richard Procter wrote: > > Testing: Same code as in my email "[patch] cleaner checksum modification for > pf", > see my testing notes there. > > Just to be sure/anal retentive, I have retested the more involved changes:
But anal retentivity is no substitute for actually thinking... I forgot about the pf_cksum() calls. These regenerate the checksum, effacing the effect of any pf_cksum_fixup(). So this patch is only half 'live', and these tests aren't conclusive. And this patch won't be unquestionably live until every pf_cksum() is removed. But they're necessary in the interim for as-yet-unconverted packet modification points. I guess one could jump through hoops to construct pf_cksum()-free code paths and a pf.conf that sticks to them. Though as there's no way to empirically distinguish correct modification from regeneration, besides manually injecting errors, testing checksum modification prior to the removal of every pf_cksum() doesn't look worth the trouble. Alternatively, one could use the complete patch I posted as a proof-of-concept in a private tree, or for that matter just unit-test the pf_change() calls. I think I'll rustle up some of the later. best, Richard.