Date: Sat, 4 Mar 2006 16:02:26 +0100 From: Max Laier <max@love2party.net> To: freebsd-net@freebsd.org Cc: Adam McDougall <mcdouga9@egr.msu.edu>, Pieter de Boer <pieter@thedarkside.nl> Subject: Re: PR kern/93849 IP checksum broken by pf no-df over bridge Message-ID: <200603041602.42599.max@love2party.net> In-Reply-To: <4409A975.1080108@thedarkside.nl> References: <20060304142802.GA63144@egr.msu.edu> <4409A975.1080108@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1473574.MRklVe8Biu Content-Type: multipart/mixed; boundary="Boundary-01=_EwaCEg97e8laVUg" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_EwaCEg97e8laVUg Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 04 March 2006 15:51, Pieter de Boer wrote: > Adam McDougall wrote: > > Could someone possibly take a look at this and let me know if it > > looks 'broken' or if I might be doing something wrong? I am in > > a crunch to choose a firewall solution within a few weeks and it > > would help me to know if this issue can be solved. FreeBSD/pf > > seemed an appropriate solution so far, especially since it has > > CARP, pfsync, (and altq which im not using (yet?)). > > You could try compiling pf using CFLAGS=3D-O instead of -O2. This fixed a > checksum problem I had. That probably was an entirely different issue, > but perhaps it does help.. Can you try this patch and report back instead. Thanks and sorry for the=20 delay. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_EwaCEg97e8laVUg Content-Type: text/x-diff; charset="iso-8859-1"; name="nodf.fix.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="nodf.fix.diff" Index: pf_norm.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_norm.c,v retrieving revision 1.16 diff -u -r1.16 pf_norm.c =2D-- pf_norm.c 19 Jan 2006 11:46:45 -0000 1.16 +++ pf_norm.c 4 Mar 2006 14:49:13 -0000 @@ -988,8 +988,12 @@ goto drop; =20 /* Clear IP_DF if the rule uses the no-df option */ =2D if (r->rule_flag & PFRULE_NODF) + if ((r->rule_flag & PFRULE_NODF) { + u_int16_t old =3D h->ip_off; + h->ip_off &=3D htons(~IP_DF); + h->ip_sum =3D pf_cksum_fixup(h->ip_sum, old, h->ip_off, 0); + } =20 /* We will need other tests here */ if (!fragoff && !mff) --Boundary-01=_EwaCEg97e8laVUg-- --nextPart1473574.MRklVe8Biu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBECawSXyyEoT62BG0RAt6NAJ9Dr0LIY+8r9pnvE995qAZUFLfeNwCggUJ2 FIm+XzfmyVaqWEk0HLguSiU= =qb5J -----END PGP SIGNATURE----- --nextPart1473574.MRklVe8Biu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603041602.42599.max>