ipfilter + bge strangeness

[Peter Jeremy]

On Sat, 2006-Jan-28 16:32:54 +0100, Koen Martens wrote:
>Yesterday night, i was going to send the message below. However,
>just before pressing send, i found a solution to the problem:
>disable checksum checks (ifconfig bge0 -rxcsum -txcsum). Though this
>is a solution, it has me puzzled. Is this a bug^H^H^Hfeature of
>6-STABLE, as it works with 5.4.
>
>With 5.4, there was only the rxcsum option for the bge card, not a
>txcsum. It worked fine with rxcsum enabled on 5.4..

At least on Solaris, you need to disable checksum offloading to pass
packets through an IPfilter firewall (check the IPFilter FAQ).  I
gather that the outgoing packets are marked as "checksum valid" so the
NIC doesn't re-compute the checksum and it winds up wrong.

If you disable IPfilter and just use the box as a straight router,
does it then work when you enable checksum offloading?  If so, then
I think you've bumped into the same (mis-)feature.

-- 
Peter Jeremy