On Mon, Jul 06, 2009 at 06:30:29PM -0700, David Miller wrote:

Ugly solution or not I don't like this patch because it requires
userspace to set this new attribute just to get correct checksums.

Can't we just detect the "came through remote peer" situation and
just do the checksum fixup in that case?  Anything that doesn't
require use changes, and as you've implemented it the user change
is only possible with netlink IPSEC users.

Hmm I deliberately didn't want to have this as the default because
I want whoever that enables it to think about the implications.
Having it on by default means that people will just set this up
without realising that they're leaving the packet unprotected by
checksums for a fraction of the path.

As I explained, it's almost impossible to use this without leaving
the packet unprotected at least in one direction.

Having said that I'm fine with turning this into a sysctl or some
global setting that's easier to enable.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt