netfilter: nfnetlink_queue: avoid expensive gso segmentation and checksum fixup
Florian Westphal [Fri, 19 Apr 2013 04:58:27 +0000 (04:58 +0000)]
Userspace can now indicate that it can cope with larger-than-mtu sized
packets and packets that have invalid ipv4/tcp checksums.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter/nfnetlink_queue.h
net/netfilter/nfnetlink_queue_core.c

index 0069da3..a2308ae 100644 (file)
@@ -97,7 +97,8 @@ enum nfqnl_attr_config {
 /* Flags for NFQA_CFG_FLAGS */
 #define NFQA_CFG_F_FAIL_OPEN                   (1 << 0)
 #define NFQA_CFG_F_CONNTRACK                   (1 << 1)
-#define NFQA_CFG_F_MAX                         (1 << 2)
+#define NFQA_CFG_F_GSO                         (1 << 2)
+#define NFQA_CFG_F_MAX                         (1 << 3)
 
 /* flags for NFQA_SKB_INFO */
 /* packet appears to have wrong checksums, but they are ok */
index d052cd6..2e0e835 100644 (file)
@@ -327,7 +327,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
                break;
 
        case NFQNL_COPY_PACKET:
-               if (entskb->ip_summed == CHECKSUM_PARTIAL &&
+               if (!(queue->flags & NFQA_CFG_F_GSO) &&
+                   entskb->ip_summed == CHECKSUM_PARTIAL &&
                    skb_checksum_help(entskb))
                        return NULL;
 
@@ -636,7 +637,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
        if (queue->copy_mode == NFQNL_COPY_NONE)
                return -EINVAL;
 
-       if (!skb_is_gso(entry->skb))
+       if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(entry->skb))
                return __nfqnl_enqueue_packet(net, queue, entry);
 
        skb = entry->skb;