summaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2016-11-24 12:04:55 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2016-12-06 21:47:54 +0100
commit1814096980bbe546c4384b7b064126cbe7d40d30 (patch)
tree60b487a40c3af0f581b97928d508ade027d8cdb0 /include/net
parente0ffdbc78d84e1da090f03ab62da3def0e65159e (diff)
downloadlinux-1814096980bbe546c4384b7b064126cbe7d40d30.tar.gz
linux-1814096980bbe546c4384b7b064126cbe7d40d30.tar.bz2
linux-1814096980bbe546c4384b7b064126cbe7d40d30.zip
netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields
This patch adds a new flag that signals the kernel to update layer 4 checksum if the packet field belongs to the layer 4 pseudoheader. This implicitly provides stateless NAT 1:1 that is useful under very specific usecases. Since rules mangling layer 3 fields that are part of the pseudoheader may potentially convey any layer 4 packet, we have to deal with the layer 4 checksum adjustment using protocol specific code. This patch adds support for TCP, UDP and ICMPv6, since they include the pseudoheader in the layer 4 checksum calculation. ICMP doesn't, so we can skip it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/netfilter/nf_tables_core.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
index 862373d4ea9d..8f690effec37 100644
--- a/include/net/netfilter/nf_tables_core.h
+++ b/include/net/netfilter/nf_tables_core.h
@@ -45,6 +45,7 @@ struct nft_payload_set {
enum nft_registers sreg:8;
u8 csum_type;
u8 csum_offset;
+ u8 csum_flags;
};
extern const struct nft_expr_ops nft_payload_fast_ops;