- init (#23)

fortanix · Jan 6, 2025 · f420ca8 · f420ca8
1 parent 53824d9
commit f420ca8
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/vsock-proxy/parent/src/network.rs b/vsock-proxy/parent/src/network.rs
@@ -175,6 +175,15 @@ pub(crate) enum ChecksumComputationError {
     Err(String),
 }
 
+/// Recomputes the checksum of a network packet provided as a mutable byte slice. It calculates and updates the checksum for:
+/// Layer 3 (L3): IPv4 header checksum.
+/// Layer 4 (L4): Transport layer checksum for TCP or UDP.
+/// # Returns
+/// Ok(()): Indicates the checksums have been successfully recomputed and updated.
+/// Err(ChecksumComputationError): Returns an error if the function encounters issues while:
+/// - Parsing the Ethernet packet.
+/// - Computing the checksum for IPv4, TCP, or UDP headers.
+/// - Encountering an unsupported Layer 4 protocol.
 pub(crate) fn recompute_packet_checksum(data: &mut [u8]) -> Result<(), ChecksumComputationError> {
     let ethernet_packet = SlicedPacket::from_ethernet(&data)
         .map_err(|err| ChecksumComputationError::Err(format!("Cannot parse ethernet packet. {:?}", err)))?;

diff --git a/vsock-proxy/parent/src/packet_capture.rs b/vsock-proxy/parent/src/packet_capture.rs
@@ -76,6 +76,10 @@ async fn read_from_device_async(
     while let Some(pkt) = capture.next().await {
         if let Err(err) = async {
             let mut data = pkt.map_err(|err| format!("error reading from pcap device: {:?}", err))??;
+            // We do packet checksum recomputation to fix the checksum of the packets that come from host’s network device when network-local request (request to a service running on a host) is being made inside the enclave.
+            // If we don’t do that the kernel inside the enclave will just drop packets it deems incorrect (because of the wrong checksum) and no connection would get established.
+            // In a regular case when enclave connects to an external service the incoming packets first hits host’s physical network device that computes the checksum.
+            // In case of a network-local request Salmiac captures the packets before they hit host’s device and the kernel inside the enclave rejects them having bad checksum.
             match recompute_packet_checksum(&mut data) {
                 Err(ChecksumComputationError::UnsupportedProtocol(protocol)) => {
                     if unsupported_protocols.insert(protocol) {