Date: Thu, 21 May 2026 11:07:33 +0000 From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Timo =?utf-8?Q?V=C3=B6lker?= <timo.voelker@fh-muenster.de> Subject: git: 81b47a7c604f - main - ipfw: fix checksum after NAT Message-ID: <6a0ee775.226bd.724200c1@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=81b47a7c604f1d563283759572fa7a1f9d4dc56f commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f Author: Timo Völker <timo.voelker@fh-muenster.de> AuthorDate: 2026-05-21 10:54:44 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2026-05-21 10:54:44 +0000 ipfw: fix checksum after NAT When checksum offloading is used, IPFW needs to fix the checksum after libalias has done NAT. The ipfw_nat() function does so, but only for mbufs without a receiving interface. However, if, for example, the packet was sent inside a jail that used checksum offloading over an epair, ipfw still needs to fix the checksum even though the mbuf has set a receiving interface (epair). This patch just removes the check whether a receiving interface is set. PR: 295057 Reviewed by: tuexen MFC after: immediately Differential Revision: https://reviews.freebsd.org/D57091 --- sys/netpfil/ipfw/ip_fw_nat.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/sys/netpfil/ipfw/ip_fw_nat.c b/sys/netpfil/ipfw/ip_fw_nat.c index 75f12511a264..e816c7bd95eb 100644 --- a/sys/netpfil/ipfw/ip_fw_nat.c +++ b/sys/netpfil/ipfw/ip_fw_nat.c @@ -311,17 +311,17 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) /* * XXX - Libalias checksum offload 'duct tape': * - * locally generated packets have only pseudo-header checksum - * calculated and libalias will break it[1], so mark them for - * later fix. Moreover there are cases when libalias modifies + * When checksum offloading is used, packets contain only the + * pseudo-header checksum and libalias will break it[1], so mark them + * for later fix. Moreover there are cases when libalias modifies * tcp packet data[2], mark them for later fix too. * * [1] libalias was never meant to run in kernel, so it does * not have any knowledge about checksum offloading, and * expects a packet with a full internet checksum. - * Unfortunately, packets generated locally will have just the - * pseudo header calculated, and when libalias tries to adjust - * the checksum it will actually compute a wrong value. + * Unfortunately, when checksum offloading is used, packets will + * contain just the pseudo-header checksum, and when libalias tries to + * adjust the checksum it will actually compute a wrong value. * * [2] when libalias modifies tcp's data content, full TCP * checksum has to be recomputed: the problem is that @@ -340,8 +340,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) * it can handle delayed checksum and tso) */ - if (mcl->m_pkthdr.rcvif == NULL && - mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) + if (mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) ldt = 1; c = mtod(mcl, char *);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0ee775.226bd.724200c1>