From nobody Thu May 21 11:07:33 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLlxR3fL6z6dlXk for ; Thu, 21 May 2026 11:07:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLlxR2FXZz3nZc for ; Thu, 21 May 2026 11:07:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779361659; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WKtIad0ih92u0C47kbNaTeo4ys+55Wz8hxRf6Tvxr/U=; b=cCYIQqRUlANdmU45I2TDmaxctveCyOPPDaMPlt39gwKcUGQX55WoJwVkLG/HCzw+IX31E4 nWqqTg5xZe+lyK4qHbAzDjBycTN/KttyTT30EpFVn8nqyL2O3b0RcyyGz8wRcoM0Nyt1e5 8074rIRN4gXIy+BBiZw3OOpXj5goI/V/zxKkMmzF0vZrNQ92lZFTQTBvmZJ9iJMAqj/M56 2SR/0Mx4llEB47/4d+ufZ/f0c9WmmL/GjxRnwYNVmZ93fCaigIfQQtOevE5ByZ2Iw+jGBj GbZihob6M7TY/uesiZnlXlUBCwpoYPsnFVmmFmqNRp1zNh5iyNVHuaEe6gGsGg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779361659; a=rsa-sha256; cv=none; b=uRa+HLtuHUpeJbX2Aycn1wrotGAmdmmrym71URqpCu6braI6nJ4Yej/QtyWivWvgljCeC5 wlHU/cQJSqftarHF0+pqtaV6vvyIziYFG1oQvf5lk8ZIdKqUw5o1+Bt3gTqazVW6qt+FOe 2VWhlQhit582LvlSPWMe7Dh8HmZBmSVW9reCOzOd8c8Ip3b/8l1m3w3/dbJzwfXbK8tHGG jO5Z1QMyni26/WSdq7s169j/wDFAjWo428QNmRz0tVTXgidczaIxiiwJ/4iKXwBIyxdq/0 PplqQ8qj6+3RZjh8f/zhYDnlB5FKw3VDil+32Xk5yRJMcrBNA3WWjecY6tJ8eg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779361659; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WKtIad0ih92u0C47kbNaTeo4ys+55Wz8hxRf6Tvxr/U=; b=kqBId7a6kckCZWd7HLkIx6xhR3G59pEyVDtw8nKMyQY5fG93HDVLdWaisnkKXuPhrjS1Km ZoC7dZlHv2x8Hip507bZnb8spu6SpDgXywrPUGLv3iDPM0GLEk/k6LcUYxjslMDHAroGHS thRGNlMUbgPyOOaaIWv3L/6nlZz38gpY3NUazDUjP3hGeGwYeXNUzWuSbfuTtDeOiSMGY0 StTxqFrbcG4FTYd8FxGtmsfMMPaAopWRBj0WS8Ro4zwaX7oFRna4sIgwB9UAAxsoRbFHUh LffgBwZoHOXhDHPQ7fQ3Zb9P838vk6ElfvtxPLOMfGyaFeMzemg8u0zmd+QrYg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gLlxR1rckzTjd for ; Thu, 21 May 2026 11:07:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 226bd by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 21 May 2026 11:07:33 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Timo =?utf-8?Q?V=C3=B6lker?= From: Michael Tuexen Subject: git: 81b47a7c604f - main - ipfw: fix checksum after NAT List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 81b47a7c604f1d563283759572fa7a1f9d4dc56f Auto-Submitted: auto-generated Date: Thu, 21 May 2026 11:07:33 +0000 Message-Id: <6a0ee775.226bd.724200c1@gitrepo.freebsd.org> The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=81b47a7c604f1d563283759572fa7a1f9d4dc56f commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f Author: Timo Völker AuthorDate: 2026-05-21 10:54:44 +0000 Commit: Michael Tuexen CommitDate: 2026-05-21 10:54:44 +0000 ipfw: fix checksum after NAT When checksum offloading is used, IPFW needs to fix the checksum after libalias has done NAT. The ipfw_nat() function does so, but only for mbufs without a receiving interface. However, if, for example, the packet was sent inside a jail that used checksum offloading over an epair, ipfw still needs to fix the checksum even though the mbuf has set a receiving interface (epair). This patch just removes the check whether a receiving interface is set. PR: 295057 Reviewed by: tuexen MFC after: immediately Differential Revision: https://reviews.freebsd.org/D57091 --- sys/netpfil/ipfw/ip_fw_nat.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/sys/netpfil/ipfw/ip_fw_nat.c b/sys/netpfil/ipfw/ip_fw_nat.c index 75f12511a264..e816c7bd95eb 100644 --- a/sys/netpfil/ipfw/ip_fw_nat.c +++ b/sys/netpfil/ipfw/ip_fw_nat.c @@ -311,17 +311,17 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) /* * XXX - Libalias checksum offload 'duct tape': * - * locally generated packets have only pseudo-header checksum - * calculated and libalias will break it[1], so mark them for - * later fix. Moreover there are cases when libalias modifies + * When checksum offloading is used, packets contain only the + * pseudo-header checksum and libalias will break it[1], so mark them + * for later fix. Moreover there are cases when libalias modifies * tcp packet data[2], mark them for later fix too. * * [1] libalias was never meant to run in kernel, so it does * not have any knowledge about checksum offloading, and * expects a packet with a full internet checksum. - * Unfortunately, packets generated locally will have just the - * pseudo header calculated, and when libalias tries to adjust - * the checksum it will actually compute a wrong value. + * Unfortunately, when checksum offloading is used, packets will + * contain just the pseudo-header checksum, and when libalias tries to + * adjust the checksum it will actually compute a wrong value. * * [2] when libalias modifies tcp's data content, full TCP * checksum has to be recomputed: the problem is that @@ -340,8 +340,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) * it can handle delayed checksum and tso) */ - if (mcl->m_pkthdr.rcvif == NULL && - mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) + if (mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) ldt = 1; c = mtod(mcl, char *);