git: 81b47a7c604f - main - ipfw: fix checksum after NAT
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 May 2026 11:07:33 UTC
The branch main has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=81b47a7c604f1d563283759572fa7a1f9d4dc56f
commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f
Author: Timo Völker <timo.voelker@fh-muenster.de>
AuthorDate: 2026-05-21 10:54:44 +0000
Commit: Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2026-05-21 10:54:44 +0000
ipfw: fix checksum after NAT
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
PR: 295057
Reviewed by: tuexen
MFC after: immediately
Differential Revision: https://reviews.freebsd.org/D57091
---
sys/netpfil/ipfw/ip_fw_nat.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/sys/netpfil/ipfw/ip_fw_nat.c b/sys/netpfil/ipfw/ip_fw_nat.c
index 75f12511a264..e816c7bd95eb 100644
--- a/sys/netpfil/ipfw/ip_fw_nat.c
+++ b/sys/netpfil/ipfw/ip_fw_nat.c
@@ -311,17 +311,17 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m)
/*
* XXX - Libalias checksum offload 'duct tape':
*
- * locally generated packets have only pseudo-header checksum
- * calculated and libalias will break it[1], so mark them for
- * later fix. Moreover there are cases when libalias modifies
+ * When checksum offloading is used, packets contain only the
+ * pseudo-header checksum and libalias will break it[1], so mark them
+ * for later fix. Moreover there are cases when libalias modifies
* tcp packet data[2], mark them for later fix too.
*
* [1] libalias was never meant to run in kernel, so it does
* not have any knowledge about checksum offloading, and
* expects a packet with a full internet checksum.
- * Unfortunately, packets generated locally will have just the
- * pseudo header calculated, and when libalias tries to adjust
- * the checksum it will actually compute a wrong value.
+ * Unfortunately, when checksum offloading is used, packets will
+ * contain just the pseudo-header checksum, and when libalias tries to
+ * adjust the checksum it will actually compute a wrong value.
*
* [2] when libalias modifies tcp's data content, full TCP
* checksum has to be recomputed: the problem is that
@@ -340,8 +340,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m)
* it can handle delayed checksum and tso)
*/
- if (mcl->m_pkthdr.rcvif == NULL &&
- mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA)
+ if (mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA)
ldt = 1;
c = mtod(mcl, char *);