From 8da924425493932e34af9e579f6423fa534e0cc5 Mon Sep 17 00:00:00 2001 From: kp Date: Wed, 11 Nov 2015 12:36:42 +0000 Subject: [PATCH] MFC r290161: pf: Fix IPv6 checksums with route-to. When using route-to (or reply-to) pf sends the packet directly to the output interface. If that interface doesn't support checksum offloading the checksum has to be calculated in software. That was already done in the IPv4 case, but not for the IPv6 case. As a result we'd emit packets with pseudo-header checksums (i.e. incorrect checksums). This issue was exposed by the changes in r289316 when pf stopped performing full checksum calculations for all packets. Submitted by: Luoqi Chen git-svn-id: svn://svn.freebsd.org/base/stable/10@290669 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/netpfil/pf/pf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 8f3a5ed7e..48da88077 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5576,6 +5576,13 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, if (ifp->if_flags & IFF_LOOPBACK) m0->m_flags |= M_SKIP_FIREWALL; + if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 & + ~ifp->if_hwassist) { + uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6); + in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr)); + m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; + } + /* * If the packet is too large for the outgoing interface, * send back an icmp6 error. -- 2.45.0