Re: NKEs on Intel-based Macs
Re: NKEs on Intel-based Macs
- Subject: Re: NKEs on Intel-based Macs
- From: David A Rowland <email@hidden>
- Date: Sat, 19 Aug 2006 16:22:42 -0700
Title: Re: NKEs on Intel-based Macs
At 10:43 PM -0700 8/18/06, David A Rowland wrote:
You know, this is all just nuts. I don't
want to call finalize. I have encrypted the packet and changed its
type from TCP to ESP. Unfortunately, the downstream system thinks it
is still TCP, computes the TCP checksum and dumps it in the middle of
the packet. All I want to do is suppress that calculation. Do I really
have to go through all this finalize, host order, byte twiddling
nonsense?
That makes sense, but I'm not sure it applies here. The IP
header
checksum is computed by calling in_cksum(m, len) immediately after
ip_id, ip_len, and ip_off are converted back to network byte order
(ip_output(), Stevens TCP/IP Vol 2 page 233). IP header
checksum
computation is not deferred, and the checksum code itself expects
network byte order. [If IP header checksum computation can be
deferred,
we'd be in more trouble because we'd have to correct for the
ip_len
field and any others that are in host byte order].
The only checksum computations that are typically deferred (on Macs)
are
the TCP and UDP data sum16 (CSUM_DELAY_DATA) and these don't include
the
16-bit fields in the IP header. [If I'm wrong about this, I'd
like to know.]
The place where the current implementation gets in trouble is that
mbuf_outbound_finalize() computes the checksum with this call:
in_delayed_cksum_offset(mbuf, protocol_offset);
which includes an implicit "length" parameter
(ip->ip_len) in the IP
header itself that is expected to be in host byte order but has
already
been converted to network byte order when checksum computation is
deferred to an NKE (ip_output.c):
ip = mtod(m,
struct ip*);
offset =
IP_VHL_HL(ip->ip_vhl) << 2 ;
// csum = in_cksum_skip(m, ip->ip_len,
offset);
csum = in_cksum_skip(m, ntohs(ip->ip_len),
offset); // suggested
correction
and again:
//if (offset > ip->ip_len) /* bogus offset */
if (offset > ntohs(ip->ip_len)) /* bogus offset
*/ // suggested
correction
The remaining question is how and when should Apple release a fix.
Should they deprecate mbuf_outbound_finalize() with a newer version?
I
suspect we're still in the first wave of converting NKEs to run on
Intel. The proof is in getting a bunch of NKEs that actually
work on
the platform.
I think my rant still has a point, but the following does seem to
work.
ipheaderPtr = mbuf_data(mbufPtr);
ipheaderPtr->ip_len = NTOHS(ipheaderPtr->ip_len);
ipheaderPtr->ip_id = NTOHS(ipheaderPtr->ip_id);
ipheaderPtr->ip_off = NTOHS(ipheaderPtr->ip_off);
mbuf_outbound_finalize(mbufPtr, AF_INET, 0);
ipheaderPtr = mbuf_data(mbufPtr);
ipheaderPtr->ip_len = HTONS(ipheaderPtr->ip_len);
ipheaderPtr->ip_id = HTONS(ipheaderPtr->ip_id);
ipheaderPtr->ip_off = HTONS(ipheaderPtr->ip_off);
ipheaderPtr->ip_sum = HTONS(ipheaderPtr->ip_sum);
mbuf_inbound_modified(mbufPtr); // mbuf->m_pkthdr.csum_flags =
0;
mbuf_clear_csum_requested(mbufPtr); // mbuf->m_pkthdr.csum_data = 0;
I will.test some more and post the results.
David
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden