Date: Tue, 12 Apr 2022 16:44:28 -0400 From: Charles Sprickman <spork@bway.net> To: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Cc: Matt Garber <matt.garber@gmail.com>, mike tancsa <mike@sentex.net> Subject: Re: vtnet rxcsum broken for forwarding RELENG_13 ? Message-ID: <FC471F5A-29F2-4A16-938B-061DD7AFCEB2@bway.net> In-Reply-To: <322649DF-446E-4BAE-876D-D4FC47FE84B0@FreeBSD.org> References: <d30a54ad-6b93-456e-64fc-75d1b09b2fb3@sentex.net> <CANwXMPPUEYWOoYLcYGhzMpP=MOd-oNrT4S7NJUy8AE52cPRvEg@mail.gmail.com> <0FE1F488-EEA5-4010-9926-2D9567E8461F@FreeBSD.org> <5A9B449D-BC3C-4D89-8AE8-7CC680B2F41E@bway.net> <322649DF-446E-4BAE-876D-D4FC47FE84B0@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Apr 12, 2022, at 3:48 PM, Kristof Provost <kp@FreeBSD.org> wrote: >=20 > On 12 Apr 2022, at 21:40, Charles Sprickman wrote: >=20 > On Apr 12, 2022, at 6:43 AM, Kristof Provost <kp@FreeBSD.org> wrote: >=20 > On 12 Apr 2022, at 2:07, Matt Garber wrote: >=20 > On Mon, Apr 11, 2022 at 7:15 PM mike tancsa <mike@sentex.net> wrote: >=20 > I was setting up a VM pf firewall and noticed I was not able to nat = out=20 > for some reason. Looking at the pcap, it seems when the vm is in=20 > forwarding mode, I get tcp checksum errors. If I do a >=20 > ifconfig vtnet1 -rxcsum >=20 > ifconfig vtnet0 -rxcsum >=20 > nat then seems to work fine >=20 > The setup is a simple VM with the hypervisor libvirt/KVM ubuntu 20 = LTS.=20 > Guest is RELENG_13 from Apr 11/2022. If I change to em nics in the VM,=20= > all is fine out of the box. >=20 > I opened up https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263229 >=20 > Unless someone knows otherwise, I=E2=80=99ve been under the impression = that PF =E2=80=94 or=20 > potentially any of the other FreeBSD firewalls (?), but I use PF =E2=80=94= has been=20 > =E2=80=9Cbroken=E2=80=9D in that regard on Linux KVM-based FreeBSD = guests for years. As=20 > such I=E2=80=99ve always needed to use csum_disable flags on the vtnet = interfaces=20 > or suffer *extremely* poor network performance, even for servers not = doing=20 > NAT forwarding. >=20 > That PF checksum issue was fixed = c110fc49da2995d10d60d908af0838ecb4be9bee, back in 2015. >=20 > Do you have a bug ID that references this issue/fix? >=20 >=20 > commit c110fc49da2995d10d60d908af0838ecb4be9bee > Author: Kristof Provost <kp@FreeBSD.org> > Date: Wed Oct 14 16:21:41 2015 +0000 >=20 > pf: Fix TSO issues >=20 > In certain configurations (mostly but not exclusively as a VM on = Xen) pf > produced packets with an invalid TCP checksum. >=20 > The problem was that pf could only handle packets with a full = checksum. The > FreeBSD IP stack produces TCP packets with a pseudo-header = checksum (only > addresses, length and protocol). > Certain network interfaces expect to see the pseudo-header = checksum, so they > end up producing packets with invalid checksums. >=20 > To fix this stop calculating the full checksum and teach pf to = only update TCP > checksums if TSO is disabled or the change affects the = pseudo-header checksum. >=20 > PR: 154428, 193579, 198868 > Reviewed by: sbruno > MFC after: 1 week > Relnotes: yes > Sponsored by: RootBSD > Differential Revision: https://reviews.freebsd.org/D3779 >=20 > Kristof Thanks! For reference, here=E2=80=99s links to the PRs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D154428 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193579 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D198868 And the others referenced earlier in the thread: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D165059 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263229 Charles
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FC471F5A-29F2-4A16-938B-061DD7AFCEB2>