qubes-mirage-firewall
qubes-mirage-firewall copied to clipboard
Checksum offload
Currently, we don't checksum incoming packets and we calculate the full checksum when doing NAT. This means:
- We may fail to detect invalid incoming packets (although hopefully NetVM will check that for us).
- We calculate checksums that aren't needed (packet is going internally, or the hardware could add it).
- Packets routed internally from one Linux VM to another might lose the flag saying the checksum is invalid.
The Mirage NETWORK interface should be extended to allow us to read and write the checksum flags so we can set things correctly.