Date: Fri, 29 Oct 2021 20:33:14 +0200 From: Peter <pmc@citylink.dinoex.sub.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-stable@freebsd.org Subject: Re: IPv6 checksum errors with divert Message-ID: <YXw%2BaiMB1z9ssml/@gate.intra.daemon.contact> In-Reply-To: <f5956f09-40ef-4be5-9922-9defa3ae5e8c@yandex.ru> References: <YXlUD6limy0wFR7m@gate.intra.daemon.contact> <f5956f09-40ef-4be5-9922-9defa3ae5e8c@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Andrey, On Fri, Oct 29, 2021 at 08:45:38PM +0300, Andrey V. Elsukov wrote: ! 27.10.2021 16:28, Peter =D0=BF=D0=B8=D1=88=D0=B5=D1=82: ! > I see these checksum error when the packet goes into the divert ! > socket, I see it when the packet comes back from divert, and I ! > see it when the packet goes out onto the network. !=20 ! > But, when I remove the divert socket from the path, then I still ! > see the checksum error at the place where the divert would have ! > happened, but when the packet goes out to the network, the checksums ! > are okay. !=20 ! Hi, !=20 ! This is usually due to enabled IPv6 checksum offloading on the NIC. When The nic is 'tun0', and I don't think it ever does hardware checksum offload. ! upper level protocols like TCP/UDP/SCTP send a packet, they can leave ! checksum for delayed calculation. This delayed calculation occurs when ! IP packet is going to the physical interface. Yes, but when a packet goes thru divert(4), the CSUM_DELAY_DATA* flags are lost, and cksum will not be inserted later when transmitting. ! Divert was designed for IPv4 only and it does not properly support ! another address families. Ah, yes, I figured that. But suricata runs on divert, and it runs IPv4 and IPv6. (suricata wants to dump ipfw support, but I don't want that to happen, because it is just cute to be able to wire it arbitrarily into any flow desired.) ! But you can try this patch: ! https://people.freebsd.org/~ae/ipv6_divert_csum.diff Yeah, I came up with mostly the same patch yesterday. ;) And it works! I don't get why this isn't in the code. Divert my not be supposed to support IPv6; but then, that code does already have some "#ifdef INET6", so it does also not really /not/ support it - it is just stuck somewhere in limbo. Cheerio, PMc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YXw%2BaiMB1z9ssml/>