From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 30 Jun 2009 22:08:35 +0800

On Tue, Jun 30, 2009 at 03:00:36PM +0800, Herbert Xu wrote:

quoted

Now as to the technical problem of how to recompute the checksums
cleanly, may I draw your attention to gso_send_checksum which does
exactly what you want.

Something like this untested patch.  Note that I still think this
is totally wrong (see the patch description for an explanation).
Perhaps a better way to do this is to write a netfilter module to
fix up checksums on egress.  That way it would be even more explicit
that you should do the checksum verification on the opposite end
as well.

The real solution is to get natoa, or even better, ditch transport
mode if you're doing NAT.

Ugly solution or not I don't like this patch because it requires
userspace to set this new attribute just to get correct checksums.

Can't we just detect the "came through remote peer" situation and
just do the checksum fixup in that case?  Anything that doesn't
require use changes, and as you've implemented it the user change
is only possible with netlink IPSEC users.