Because I need to use esp in transport layer in a docker container, I want to disable tcp checksum verification in the docker container. Is there any way this is possible?
If not, is there some way I can give the packages to a custom netfilter module before they get dropped to correct the checksum? For example, to correct outgoing packages I used:
sudo iptables -t mangle -A POSTROUTING -p tcp -j NFQUEUE
and then simply wrote a custom hook to correct the checksums before the esp encryption happens.
However, I tried the same for incoming packages:
sudo iptables -t mangle -A PREROUTING -p tcp -j NFQUEUE
and never see any packages arrive at NFQUEUE, so I assume they get dropped before they even reach the queue because the checksum is incorrect. Any way to prevent this?
