From owner-freebsd-pf@FreeBSD.ORG  Tue May 31 13:15:29 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9887C16A41C
	for <freebsd-pf@freebsd.org>; Tue, 31 May 2005 13:15:29 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F062543D58
	for <freebsd-pf@freebsd.org>; Tue, 31 May 2005 13:15:28 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.3/8.12.11) with ESMTP id j4VDFMmS018494
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Tue, 31 May 2005 15:15:23 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j4VDFLJ3023121;
	Tue, 31 May 2005 15:15:21 +0200 (MEST)
Date: Tue, 31 May 2005 15:15:19 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Derkjan de Haan <derkjan@haanjdj.demon.nl>
Message-ID: <20050531131519.GC16010@insomnia.benzedrine.cx>
References: <60550.195.50.100.20.1117540549.squirrel@haanjdj.demon.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <60550.195.50.100.20.1117540549.squirrel@haanjdj.demon.nl>
User-Agent: Mutt/1.5.6i
Cc: freebsd-pf@freebsd.org
Subject: Re: no-df and cksum errors in tcpdump
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2005 13:15:29 -0000

On Tue, May 31, 2005 at 01:55:49PM +0200, Derkjan de Haan wrote:

> The strange thing is that as soon as I remove the no-df from my pf
> configuration, the 'bad cksum' disappears. Has anybody seen this before ?
> Can it be that pf doesn't recompute the checksum after altering the packet
> ?

This can be perfectly fine, when you have a NIC that does checksum
calculation in hardware. In that case, pf will invalidate the packet
checksum with any modification (nat, modulate state, no-df, etc.) and
bpf (i.e. tcpdump, pflogd) will see packets before they actually reach
the NIC (which then fixes the checksum in hardware).

To make sure, tcpdump what goes out on the wire, from a second host
(like the peer or a sniffer). If you see invalid checksums on the wire,
then something is wrong. But you can't check this on the sending host
itself, due to the order in which bpf gets packets first.

Daniel