NAT and UDP checksum

[Rusty Russell]

In message <001101bf733b$eb756fb0$040a0a0a@internal> you write:
> I have a NAT filter which changes a port number in the data stream of a UDP
> packet.  The data is also encrypted.  So I decrypt it, change the port and
> encrypt it again.  This worked fine under ipchains as a masq module.  I
> didn't need to update any checksums.  Apparently with netfilter I need to
> update the UDP checksum because the destination machine rejects the UDP
> packet as bad.  What is the appropriate function for recomputing the
> checksum?  I've tried many of them but I'm not clear as I never had to do
> this before.  Because of the encryption the data for the packet from the
> embedded port number on has effectively changed.

Something vaguely like this:

	if (udph->check) {
		udph->check = 0;
		udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
			                        ntohl(udph->len),
						IPPROTO_UDP,
						csum_partial(udph,
						             ntohl(udph->len),
						             0));
	}

Make sure you check the checksum is valid before you decode the packet
(drop it if it's not).

Hope that helps,
Rusty.
--
Hacking time.