LinuxNAT-optimized checksum

We know that Linux NAT is a stateful NAT based on ip_conntrack, and its configuration is similar to BSD keepstate! If you take a look at the PREROUTING of Netfilter, you will know that ip_conntrack depends on ip_defrag, which is the IP segment of all parts... we know the checksum problem of Linux NAT optimization. Linux NAT is a stateful NAT based on ip_conntrack, and its configuration is similar to the effect of BSD's keep state! If you take a look at the PREROUTING of Netfilter, you will know that ip_conntrack depends on ip_defrag, that is, all the IP slices of the Shard must be reorganized before they can enter ip_conntrack and then enter NAT, if we want to implement NAT for each IP segment, we need to worry about it. It is an optimization logic, which has been repeatedly posted in other articles: note that there is no NAT logic in this figure, but it is only the conntrack logic. Let me first talk about what NAT needs to pay attention to. In fact, there is nothing to pay attention to. the only thing is the checksum of the IP header and the TCP/UDP header (if any, note that the calculation of these checksum is not encryption/decryption, but not summarization, because when you know that the checksum is so well calculated, you have overcome the fear of optimizing IP address slice NAT from the heart! We only need to pull out the first slice carrying the TCP header. Because the calculation of checksum is only a process of arithmetic calculation, similar to the addition of elementary school, addition satisfies the exchange law and combination law, therefore, we can assume that the tested data load and other TCP parts are a constant and only the pseudo header must be changed. the formula is as follows: new checksum = old checksum and old pseudo-header checksum + new pseudo-header checksum are only affected by the pseudo-header, while NAT is only affected by the pseudo-header, because I hate dynamic NAT, XX bank has to troubleshoot the problem because it is too late to go home and get hungry and quarrel with my wife who is away from the edge of civilization, NAT here refers to a one-to-one static ing static NAT, even if it is a static NAT implemented by TMD myself! As a result, the part is sliced to the NAT module following the exit of the figure above, and the following logic is executed: 1. determine whether to carry the complete TCP header. If yes, modify the TCP checksum (not to mention UDP) based on the NAT result according to the above formula. 2. it is not possible to carry a complete TCP header! The figure above ensures that the transmission layer header can always be carried (but not absolute !); 3. because the result of 2 is but not absolute, after all, it may not be optimized for conntrack, but only NAT! If the TCP header does not carry the complete header, wait according to the logic. It took me so long to get a NAT! Alas, for a NAT, I look forward to IPv6, and now I have pulled an IP segment. I look forward to IPv6. at that time, there was neither NAT nor sharding! Today, I am really not so high. people out of the edge are always screaming. the Mac OS network is playing well, and the barbarian is screaming again. I am doing a write-down poem: scolding and misunderstanding! Around me! Arrogant, selfish, and boring! Burning in my heart! You are not more clear than me, and you are arrogant. please raise your head and let you know! Understanding, more or less. I care more, but I am more arrogant than you! It's just that something is slowly developing, and eventually it's a fucking thing! Shit, everything! Shit, the life!