From owner-freebsd-net@FreeBSD.ORG Sat Mar 4 15:04:36 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFCC016A422 for ; Sat, 4 Mar 2006 15:04:36 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B8DB43D53 for ; Sat, 4 Mar 2006 15:04:31 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.253.221] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1FFYJ41KVk-0006k7; Sat, 04 Mar 2006 16:04:30 +0100 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org Date: Sat, 4 Mar 2006 16:02:26 +0100 User-Agent: KMail/1.9.1 References: <20060304142802.GA63144@egr.msu.edu> <4409A975.1080108@thedarkside.nl> In-Reply-To: <4409A975.1080108@thedarkside.nl> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1473574.MRklVe8Biu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200603041602.42599.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Adam McDougall , Pieter de Boer Subject: Re: PR kern/93849 IP checksum broken by pf no-df over bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Mar 2006 15:04:36 -0000 --nextPart1473574.MRklVe8Biu Content-Type: multipart/mixed; boundary="Boundary-01=_EwaCEg97e8laVUg" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_EwaCEg97e8laVUg Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 04 March 2006 15:51, Pieter de Boer wrote: > Adam McDougall wrote: > > Could someone possibly take a look at this and let me know if it > > looks 'broken' or if I might be doing something wrong? I am in > > a crunch to choose a firewall solution within a few weeks and it > > would help me to know if this issue can be solved. FreeBSD/pf > > seemed an appropriate solution so far, especially since it has > > CARP, pfsync, (and altq which im not using (yet?)). > > You could try compiling pf using CFLAGS=3D-O instead of -O2. This fixed a > checksum problem I had. That probably was an entirely different issue, > but perhaps it does help.. Can you try this patch and report back instead. Thanks and sorry for the=20 delay. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_EwaCEg97e8laVUg Content-Type: text/x-diff; charset="iso-8859-1"; name="nodf.fix.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="nodf.fix.diff" Index: pf_norm.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_norm.c,v retrieving revision 1.16 diff -u -r1.16 pf_norm.c =2D-- pf_norm.c 19 Jan 2006 11:46:45 -0000 1.16 +++ pf_norm.c 4 Mar 2006 14:49:13 -0000 @@ -988,8 +988,12 @@ goto drop; =20 /* Clear IP_DF if the rule uses the no-df option */ =2D if (r->rule_flag & PFRULE_NODF) + if ((r->rule_flag & PFRULE_NODF) { + u_int16_t old =3D h->ip_off; + h->ip_off &=3D htons(~IP_DF); + h->ip_sum =3D pf_cksum_fixup(h->ip_sum, old, h->ip_off, 0); + } =20 /* We will need other tests here */ if (!fragoff && !mff) --Boundary-01=_EwaCEg97e8laVUg-- --nextPart1473574.MRklVe8Biu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBECawSXyyEoT62BG0RAt6NAJ9Dr0LIY+8r9pnvE995qAZUFLfeNwCggUJ2 FIm+XzfmyVaqWEk0HLguSiU= =qb5J -----END PGP SIGNATURE----- --nextPart1473574.MRklVe8Biu--