From nobody Thu May 21 11:13:04 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLm3n5DQ8z6dm96 for ; Thu, 21 May 2026 11:13:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLm3n3nvtz3pdx for ; Thu, 21 May 2026 11:13:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779361989; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W/YnsQmjf6GKyaTzzra6HYVIyFNYNFmDh+K+nKaxQI0=; b=kanhkEo1+HnN+VKGkl1oTHsAG9kt8dxbpQ9VvSQc3+QLpj+HKbo/g1IJiXcCih4wur+QUi x8JD8lopKTyjxtPr+6zO7d3qFonII9Z17R4b096PV3wbL3cYvGQho6MmPrVSeMVHjRfLgY QFeK9c5fkE/sgkjaRUL4zP9RwfKz2eA51Do8VsbOR0oKOROCdLdjrKqI99oobHDYBZfnpI bs9PMnSCBBvTWcyejb26l3fV/OfJ37SRrczbT2uNXzOHGKzt7T/W0cR8nb1mYT8nO/Hr40 iK/mBM21lqNMXriakEFyfGIemL4d0AsQm8Gu2OvLwBOrEf1Hm/kBIjUbbnUcKw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779361989; a=rsa-sha256; cv=none; b=rlWtc9NPjIud23ZNJScHclSiljl+ULPSqSuauTr22BmRJbZah0J5PjITO3QCaT6fv8Cmjd cZHT51WmgT3vGqdSM1e42cK5DRXzO8S+L5VNNDVp04PUlyXCX9kFI05BccPAtU8NjOcgsg zsQzY0eyl1Y693bsgsuVjYxid0aFtmoN29ued/3UIs3RjPiB/3uVmoGl4nfZyW0bxAH47I QwUXNp8z7n5KYWAie1UZrNvtQN8E1rsVmitUcjE0QtuiPqHU+JRbBWp+MvGuFid0ajbcKY dcxHwUkBzX9k1y/KHRYsCnSEiKYNWpB9FuFYjwskavzx+ujfZ7Wd1HrMYwOYTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779361989; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W/YnsQmjf6GKyaTzzra6HYVIyFNYNFmDh+K+nKaxQI0=; b=MRCroF4RJ5u/iWLmRi+wLq+uveUBTqNELXEck67pA3D9QpLnxWMgavMgeAhTaOsEOmmpsS Szd3yKGfysQYOO6KInZMWJo0PLokRbFg/tAJfOudaR3vj8lUd67wQOxhatA0Ou9vMiUZuh tLlaStjpriNUcY1NYxqDwAc5pUVAQICNeNe+PgA6u+tDLKiMGiabmGyB4XBEzi1Bzv1zBH 9CSNsMMLsS6jPF06HYxuCzBhSnAchFi97LXp66KEzZ14YimBbLmzv73vQWA3C5Pq1JrElI To1bmFRiThAdWoT9LkdgIlzSzcbueyK+VS4v7DWvtCHIeAHcrn4q7dYWkj8Aaw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gLm3n3Ht9zTmr for ; Thu, 21 May 2026 11:13:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 24be1 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 21 May 2026 11:13:04 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Timo =?utf-8?Q?V=C3=B6lker?= From: Michael Tuexen Subject: git: 198379d2c29f - stable/15 - ipfw: fix checksum after NAT List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 198379d2c29fae7300b650a96199e51a66b87364 Auto-Submitted: auto-generated Date: Thu, 21 May 2026 11:13:04 +0000 Message-Id: <6a0ee8c0.24be1.54503850@gitrepo.freebsd.org> The branch stable/15 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=198379d2c29fae7300b650a96199e51a66b87364 commit 198379d2c29fae7300b650a96199e51a66b87364 Author: Timo Völker AuthorDate: 2026-05-21 10:54:44 +0000 Commit: Michael Tuexen CommitDate: 2026-05-21 11:11:36 +0000 ipfw: fix checksum after NAT When checksum offloading is used, IPFW needs to fix the checksum after libalias has done NAT. The ipfw_nat() function does so, but only for mbufs without a receiving interface. However, if, for example, the packet was sent inside a jail that used checksum offloading over an epair, ipfw still needs to fix the checksum even though the mbuf has set a receiving interface (epair). This patch just removes the check whether a receiving interface is set. PR: 295057 Reviewed by: tuexen Differential Revision: https://reviews.freebsd.org/D57091 (cherry picked from commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f) --- sys/netpfil/ipfw/ip_fw_nat.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/sys/netpfil/ipfw/ip_fw_nat.c b/sys/netpfil/ipfw/ip_fw_nat.c index 8bd27f6885ab..34e60edfc4a5 100644 --- a/sys/netpfil/ipfw/ip_fw_nat.c +++ b/sys/netpfil/ipfw/ip_fw_nat.c @@ -311,17 +311,17 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) /* * XXX - Libalias checksum offload 'duct tape': * - * locally generated packets have only pseudo-header checksum - * calculated and libalias will break it[1], so mark them for - * later fix. Moreover there are cases when libalias modifies + * When checksum offloading is used, packets contain only the + * pseudo-header checksum and libalias will break it[1], so mark them + * for later fix. Moreover there are cases when libalias modifies * tcp packet data[2], mark them for later fix too. * * [1] libalias was never meant to run in kernel, so it does * not have any knowledge about checksum offloading, and * expects a packet with a full internet checksum. - * Unfortunately, packets generated locally will have just the - * pseudo header calculated, and when libalias tries to adjust - * the checksum it will actually compute a wrong value. + * Unfortunately, when checksum offloading is used, packets will + * contain just the pseudo-header checksum, and when libalias tries to + * adjust the checksum it will actually compute a wrong value. * * [2] when libalias modifies tcp's data content, full TCP * checksum has to be recomputed: the problem is that @@ -340,8 +340,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) * it can handle delayed checksum and tso) */ - if (mcl->m_pkthdr.rcvif == NULL && - mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) + if (mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) ldt = 1; c = mtod(mcl, char *);