From nobody Fri Oct 29 18:33:14 2021
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 84F741827DA0
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Fri, 29 Oct 2021 18:45:31 +0000 (UTC)
	(envelope-from pmc@citylink.dinoex.sub.org)
Received: from uucp.dinoex.org (uucp.dinoex.org [IPv6:2a0b:f840::12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "uucp.dinoex.sub.de", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HgrwC2BnDz3MTH
	for <freebsd-stable@freebsd.org>; Fri, 29 Oct 2021 18:45:30 +0000 (UTC)
	(envelope-from pmc@citylink.dinoex.sub.org)
Received: from uucp.dinoex.sub.de (uucp.dinoex.org [185.220.148.12])
	by uucp.dinoex.org (8.17.1/8.17.1) with ESMTPS id 19TIj4eH031949
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
	Fri, 29 Oct 2021 20:45:04 +0200 (CEST)
	(envelope-from pmc@citylink.dinoex.sub.org)
X-Authentication-Warning: uucp.dinoex.sub.de: Host uucp.dinoex.org [185.220.148.12] claimed to be uucp.dinoex.sub.de
Received: (from uucp@localhost)
	by uucp.dinoex.sub.de (8.17.1/8.17.1/Submit) with UUCP id 19TIj4Ew031945;
	Fri, 29 Oct 2021 20:45:04 +0200 (CEST)
	(envelope-from pmc@citylink.dinoex.sub.org)
Received: from gate.intra.daemon.contact (gate-e [192.168.98.2])
	by citylink.dinoex.sub.de (8.16.1/8.16.1) with ESMTP id 19TIXGuJ054396;
	Fri, 29 Oct 2021 20:33:16 +0200 (CEST)
	(envelope-from peter@gate.intra.daemon.contact)
Received: from gate.intra.daemon.contact (gate-e [192.168.98.2])
	by gate.intra.daemon.contact (8.16.1/8.16.1) with ESMTPS id 19TIXERW054368
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
	Fri, 29 Oct 2021 20:33:14 +0200 (CEST)
	(envelope-from peter@gate.intra.daemon.contact)
Received: (from peter@localhost)
	by gate.intra.daemon.contact (8.16.1/8.16.1/Submit) id 19TIXEJx054367;
	Fri, 29 Oct 2021 20:33:14 +0200 (CEST)
	(envelope-from peter)
Date: Fri, 29 Oct 2021 20:33:14 +0200
From: Peter <pmc@citylink.dinoex.sub.org>
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc: freebsd-stable@freebsd.org
Subject: Re: IPv6 checksum errors with divert
Message-ID: <YXw+aiMB1z9ssml/@gate.intra.daemon.contact>
References: <YXlUD6limy0wFR7m@gate.intra.daemon.contact>
 <f5956f09-40ef-4be5-9922-9defa3ae5e8c@yandex.ru>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <f5956f09-40ef-4be5-9922-9defa3ae5e8c@yandex.ru>
X-Milter: Spamilter (Reciever: uucp.dinoex.sub.de; Sender-ip: 185.220.148.12; Sender-helo: uucp.dinoex.sub.de;)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (uucp.dinoex.org [185.220.148.12]); Fri, 29 Oct 2021 20:45:07 +0200 (CEST)
X-Rspamd-Queue-Id: 4HgrwC2BnDz3MTH
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N


Hi Andrey,

On Fri, Oct 29, 2021 at 08:45:38PM +0300, Andrey V. Elsukov wrote:
! 27.10.2021 16:28, Peter =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
! > I see these checksum error when the packet goes into the divert
! > socket, I see it when the packet comes back from divert, and I
! > see it when the packet goes out onto the network.
!=20
! > But, when I remove the divert socket from the path, then I still
! > see the checksum error at the place where the divert would have
! > happened, but when the packet goes out to the network, the checksums
! > are okay.
!=20
! Hi,
!=20
! This is usually due to enabled IPv6 checksum offloading on the NIC. When

The nic is 'tun0', and I don't think it ever does hardware checksum offload.

! upper level protocols like TCP/UDP/SCTP send a packet, they can leave
! checksum for delayed calculation. This delayed calculation occurs when
! IP packet is going to the physical interface.

Yes, but when a packet goes thru divert(4), the CSUM_DELAY_DATA* flags
are lost, and cksum will not be inserted later when transmitting.

! Divert was designed for IPv4 only and it does not properly support
! another address families.

Ah, yes, I figured that. But suricata runs on divert, and it runs IPv4
and IPv6.
(suricata wants to dump ipfw support, but I don't want that to happen,
because it is just cute to be able to wire it arbitrarily into any
flow desired.)

! But you can try this patch:
!  https://people.freebsd.org/~ae/ipv6_divert_csum.diff

Yeah, I came up with mostly the same patch yesterday. ;) And it works!


I don't get why this isn't in the code. Divert my not be supposed
to support IPv6; but then, that code does already have some "#ifdef
INET6", so it does also not really /not/ support it - it is just stuck
somewhere in limbo.


Cheerio,
PMc