From df6f291a28c9d81a84cbf46899d6b4540fba09c0 Mon Sep 17 00:00:00 2001
From: NikitaShyrei <nikita.shyrei@fortanix.com>
Date: Tue, 17 Dec 2024 16:05:56 +0100
Subject: [PATCH] - init

---
 vsock-proxy/parent/src/network.rs        | 9 +++++++++
 vsock-proxy/parent/src/packet_capture.rs | 4 ++++
 2 files changed, 13 insertions(+)

diff --git a/vsock-proxy/parent/src/network.rs b/vsock-proxy/parent/src/network.rs
index 58cfad9..60cd2b0 100644
--- a/vsock-proxy/parent/src/network.rs
+++ b/vsock-proxy/parent/src/network.rs
@@ -175,6 +175,15 @@ pub(crate) enum ChecksumComputationError {
     Err(String),
 }
 
+/// Recomputes the checksum of a network packet provided as a mutable byte slice. It calculates and updates the checksum for:
+/// Layer 3 (L3): IPv4 header checksum.
+/// Layer 4 (L4): Transport layer checksum for TCP or UDP.
+/// # Returns
+/// Ok(()): Indicates the checksums have been successfully recomputed and updated.
+/// Err(ChecksumComputationError): Returns an error if the function encounters issues while:
+/// - Parsing the Ethernet packet.
+/// - Computing the checksum for IPv4, TCP, or UDP headers.
+/// - Encountering an unsupported Layer 4 protocol.
 pub(crate) fn recompute_packet_checksum(data: &mut [u8]) -> Result<(), ChecksumComputationError> {
     let ethernet_packet = SlicedPacket::from_ethernet(&data)
         .map_err(|err| ChecksumComputationError::Err(format!("Cannot parse ethernet packet. {:?}", err)))?;
diff --git a/vsock-proxy/parent/src/packet_capture.rs b/vsock-proxy/parent/src/packet_capture.rs
index 7e8b454..579c2cd 100644
--- a/vsock-proxy/parent/src/packet_capture.rs
+++ b/vsock-proxy/parent/src/packet_capture.rs
@@ -76,6 +76,10 @@ async fn read_from_device_async(
     while let Some(pkt) = capture.next().await {
         if let Err(err) = async {
             let mut data = pkt.map_err(|err| format!("error reading from pcap device: {:?}", err))??;
+            // We do packet checksum recomputation to fix the checksum of the packets that come from host’s network device when network-local request (request to a service running on a host) is being made inside the enclave.
+            // If we don’t do that the kernel inside the enclave will just drop packets it deems incorrect (because of the wrong checksum) and no connection would get established.
+            // In a regular case when enclave connects to an external service the incoming packets first hits host’s physical network device that computes the checksum.
+            // In case of a network-local request Salmiac captures the packets before they hit host’s device and the kernel inside the enclave rejects them having bad checksum.
             match recompute_packet_checksum(&mut data) {
                 Err(ChecksumComputationError::UnsupportedProtocol(protocol)) => {
                     if unsupported_protocols.insert(protocol) {