From nobody Tue Apr 12 20:44:28 2022 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9D9707EEEA2 for ; Tue, 12 Apr 2022 20:44:29 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp1.bway.net (smtp1.bway.net [216.220.96.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KdHlK08HBz3wCH for ; Tue, 12 Apr 2022 20:44:28 +0000 (UTC) (envelope-from spork@bway.net) Received: from gaseousweiner.sporklab.com (unknown [108.35.254.39]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp1.bway.net (Postfix) with ESMTPSA id 9E8FF2F3DA; Tue, 12 Apr 2022 16:44:28 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bway.net; s=mail; t=1649796268; bh=3icJpleLmBh0dGQgSTzgNw95Ibdzq1sOr8ko4U8B+xA=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=JoHA5tv6Lp2QTniaKVelgLOPN94JCW2gEV8VQkwO0vFT4l7f25rgLwxse9NMVF2L7 VOvuppsXpD9AvCGX3Pp2nrOyVTRZi9n7x2eNtnj8fCsXVt8ktzRbBF0VPJltxUcaVS CYEoqTtFVdayAlgg5Etjy650+VS5OtY4RAUHwck4= Content-Type: text/plain; charset=utf-8 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) Subject: Re: vtnet rxcsum broken for forwarding RELENG_13 ? From: Charles Sprickman In-Reply-To: <322649DF-446E-4BAE-876D-D4FC47FE84B0@FreeBSD.org> Date: Tue, 12 Apr 2022 16:44:28 -0400 Cc: Matt Garber , mike tancsa X-Mao-Original-Outgoing-Id: 671489068.02946-3ec035c2a510d471306de686abace228 Content-Transfer-Encoding: quoted-printable Message-Id: References: <0FE1F488-EEA5-4010-9926-2D9567E8461F@FreeBSD.org> <5A9B449D-BC3C-4D89-8AE8-7CC680B2F41E@bway.net> <322649DF-446E-4BAE-876D-D4FC47FE84B0@FreeBSD.org> To: FreeBSD-STABLE Mailing List X-Mailer: Apple Mail (2.3445.104.21) X-Rspamd-Queue-Id: 4KdHlK08HBz3wCH X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bway.net header.s=mail header.b=JoHA5tv6; dmarc=pass (policy=quarantine) header.from=bway.net; spf=pass (mx1.freebsd.org: domain of spork@bway.net designates 216.220.96.27 as permitted sender) smtp.mailfrom=spork@bway.net X-Spamd-Result: default: False [-3.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:216.220.96.27/32]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[bway.net:+]; DMARC_POLICY_ALLOW(-0.50)[bway.net,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[216.220.96.27:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8059, ipnet:216.220.96.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[bway.net:s=mail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[bway.net:dkim]; SUBJECT_ENDS_QUESTION(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-stable]; FREEMAIL_CC(0.00)[gmail.com,sentex.net]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N > On Apr 12, 2022, at 3:48 PM, Kristof Provost wrote: >=20 > On 12 Apr 2022, at 21:40, Charles Sprickman wrote: >=20 > On Apr 12, 2022, at 6:43 AM, Kristof Provost wrote: >=20 > On 12 Apr 2022, at 2:07, Matt Garber wrote: >=20 > On Mon, Apr 11, 2022 at 7:15 PM mike tancsa wrote: >=20 > I was setting up a VM pf firewall and noticed I was not able to nat = out=20 > for some reason. Looking at the pcap, it seems when the vm is in=20 > forwarding mode, I get tcp checksum errors. If I do a >=20 > ifconfig vtnet1 -rxcsum >=20 > ifconfig vtnet0 -rxcsum >=20 > nat then seems to work fine >=20 > The setup is a simple VM with the hypervisor libvirt/KVM ubuntu 20 = LTS.=20 > Guest is RELENG_13 from Apr 11/2022. If I change to em nics in the VM,=20= > all is fine out of the box. >=20 > I opened up https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263229 >=20 > Unless someone knows otherwise, I=E2=80=99ve been under the impression = that PF =E2=80=94 or=20 > potentially any of the other FreeBSD firewalls (?), but I use PF =E2=80=94= has been=20 > =E2=80=9Cbroken=E2=80=9D in that regard on Linux KVM-based FreeBSD = guests for years. As=20 > such I=E2=80=99ve always needed to use csum_disable flags on the vtnet = interfaces=20 > or suffer *extremely* poor network performance, even for servers not = doing=20 > NAT forwarding. >=20 > That PF checksum issue was fixed = c110fc49da2995d10d60d908af0838ecb4be9bee, back in 2015. >=20 > Do you have a bug ID that references this issue/fix? >=20 >=20 > commit c110fc49da2995d10d60d908af0838ecb4be9bee > Author: Kristof Provost > Date: Wed Oct 14 16:21:41 2015 +0000 >=20 > pf: Fix TSO issues >=20 > In certain configurations (mostly but not exclusively as a VM on = Xen) pf > produced packets with an invalid TCP checksum. >=20 > The problem was that pf could only handle packets with a full = checksum. The > FreeBSD IP stack produces TCP packets with a pseudo-header = checksum (only > addresses, length and protocol). > Certain network interfaces expect to see the pseudo-header = checksum, so they > end up producing packets with invalid checksums. >=20 > To fix this stop calculating the full checksum and teach pf to = only update TCP > checksums if TSO is disabled or the change affects the = pseudo-header checksum. >=20 > PR: 154428, 193579, 198868 > Reviewed by: sbruno > MFC after: 1 week > Relnotes: yes > Sponsored by: RootBSD > Differential Revision: https://reviews.freebsd.org/D3779 >=20 > Kristof Thanks! For reference, here=E2=80=99s links to the PRs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D154428 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193579 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D198868 And the others referenced earlier in the thread: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D165059 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263229 Charles