Date: Thu, 29 Oct 2015 20:45:53 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r290161 - head/sys/netpfil/pf Message-ID: <201510292045.t9TKjrwS033723@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Thu Oct 29 20:45:53 2015 New Revision: 290161 URL: https://svnweb.freebsd.org/changeset/base/290161 Log: pf: Fix IPv6 checksums with route-to. When using route-to (or reply-to) pf sends the packet directly to the output interface. If that interface doesn't support checksum offloading the checksum has to be calculated in software. That was already done in the IPv4 case, but not for the IPv6 case. As a result we'd emit packets with pseudo-header checksums (i.e. incorrect checksums). This issue was exposed by the changes in r289316 when pf stopped performing full checksum calculations for all packets. Submitted by: Luoqi Chen MFC after: 1 week Modified: head/sys/netpfil/pf/pf.c Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Thu Oct 29 20:43:13 2015 (r290160) +++ head/sys/netpfil/pf/pf.c Thu Oct 29 20:45:53 2015 (r290161) @@ -5574,6 +5574,13 @@ pf_route6(struct mbuf **m, struct pf_rul if (ifp->if_flags & IFF_LOOPBACK) m0->m_flags |= M_SKIP_FIREWALL; + if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 & + ~ifp->if_hwassist) { + uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6); + in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr)); + m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; + } + /* * If the packet is too large for the outgoing interface, * send back an icmp6 error.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510292045.t9TKjrwS033723>