Hi, 

On its receive path, wg(4) uses the same mbuf for both the encrypted 
capsule and its encapsulated packet, which it passes up to the stack. We 
must therefore clear this mbuf's checksum status flags, as although the 
capsule may have been subject to hardware offload, its encapsulated packet 
was not.

This ensures that the transport checksums of packets bound for local 
delivery are verified. That is necessary because, although the tunnel 
provides stronger integrity checks, the tunnel endpoints and the 
transport endpoints needn't coincide.

However, as the network and tunnel endpoints _do_ conincide, it remains 
unncessary to check the per-hop IPv4 checksum.

ok? 

Index: net/if_wg.c
===================================================================
RCS file: /cvs/src/sys/net/if_wg.c,v
retrieving revision 1.7
diff -u -p -u -p -r1.7 if_wg.c
--- net/if_wg.c 23 Jun 2020 10:03:49 -0000      1.7
+++ net/if_wg.c 27 Jun 2020 02:48:37 -0000
@@ -1660,14 +1660,10 @@ wg_decap(struct wg_softc *sc, struct mbu
                goto error;
        }
 
-       /*
-        * We can mark incoming packet csum OK. We mark all flags OK
-        * irrespective to the packet type.
-        */
-       m->m_pkthdr.csum_flags |= (M_IPV4_CSUM_IN_OK | M_TCP_CSUM_IN_OK |
-           M_UDP_CSUM_IN_OK | M_ICMP_CSUM_IN_OK);
-       m->m_pkthdr.csum_flags &= ~(M_IPV4_CSUM_IN_BAD | M_TCP_CSUM_IN_BAD |
-           M_UDP_CSUM_IN_BAD | M_ICMP_CSUM_IN_BAD);
+       /* tunneled packet was not offloaded */
+       m->m_pkthdr.csum_flags = 0;
+       /* optimise: the tunnel provided a stronger integrity check */
+       m->m_pkthdr.csum_flags |= M_IPV4_CSUM_IN_OK;
 
        m->m_pkthdr.ph_ifidx = sc->sc_if.if_index;
        m->m_pkthdr.ph_rtableid = sc->sc_if.if_rdomain;

Reply via email to