From nobody Thu May 21 11:25:50 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLmLQ4RT4z6dnNv
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Thu, 21 May 2026 11:25:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gLmLQ1k79z3r9R
	for <dev-commits-src-all@FreeBSD.org>; Thu, 21 May 2026 11:25:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779362750;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=LnuGODGVv/xyq+yuEAesfzLpksSvrQb3AVO8RqIXqmg=;
	b=KiA+IDMtuMuQkzUjcohB7qIdEPSL7J0h1hLYLWQrQNHTEXfKHV8TFfkVSNom+ArNlw3sMs
	W0RAg3fz0dxFypHpMFbvZqUV18iJKTHb6gagFRGLtQIWiVEKWuhqdC4atf6v+Kk7UXTrM8
	ANNyNDGQcSsq3Cmo21sYjiPq+qplQTXX3DIhTqSe5n+pMVEodkCs0jaTKJCzWhmDhqFImX
	Ba+Z5uFn6LOkLLKTI8lvuTDYOxQQSHzd6Py6jjldHOJm/Flwcsm7qDADG9NMXagUSf7dZC
	Q3eQLpIHhcoUmHXklyd+KuXnd/bk9ExkMSxd/7hFwMxLP1egroxactcRY8suKg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779362750; a=rsa-sha256; cv=none;
	b=WxG3A1hBu18KoV3Z8p4DXRWMpT9M8HZQGO0V2g2GnCTohPotuAhuA2jYMrOGUe+ny/KJ+a
	+ZIoDv+FJwlga21yZpTFppFuVJGXziq4kVmJICtEHCqDBJi1GE2/l45r8RkMMKzLnGm+Py
	OUaQhsuQWpnao1GNaixIAze0xOl+yjCxoO7RFKyS5whkPAx+uaxMhyuiFD/HySNLzgKI//
	C+8CnK39lEXcdJ5/1iQLD4RHXPxkRlJ7ecr1sC/sMgvMKlhDeSBCeUepPmQdNQAYjBccrZ
	IAvxfaSX/Qp70JYYVl+2Kiz0Xd2mWynmqqMJa43nNcvYczdUWjqySMeMIY83kg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779362750;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=LnuGODGVv/xyq+yuEAesfzLpksSvrQb3AVO8RqIXqmg=;
	b=Pz5rzfkKFPPxvuPW6hkDG9ldtJskN4hrDV7bSr1lSW0q98Tszk3Kb9KAIf0xx2CP8+n3xg
	Uy4bnRLJiCCm4imKLiIeEpNqYbhEbu9tcLHQSZR/edrIQZis59Yy76mWnrCaya89S1p/Dz
	wAQkbtvfRgjCPYN8ouC5Q483KMiVdIJlheBx9M6SkCrFkCuTtrecgPKRJ3X9qEvY5Zq/f1
	MglYpEz8ZNDU50xG5coLN09CCb4s2lARuzYWy1NIvzUnqS2FZEconPYqmeCSRec9W33gob
	dLTij6gRIDxEiU2q2zSiMacZs9c5dw0qCvJ55XbazVlOgywmJj2K0o07I45nHg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gLmLQ0PCvzVYD
	for <dev-commits-src-all@FreeBSD.org>; Thu, 21 May 2026 11:25:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 24512
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 21 May 2026 11:25:50 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Timo =?utf-8?Q?V=C3=B6lker?= <timo.voelker@fh-muenster.de>
From: Michael Tuexen <tuexen@FreeBSD.org>
Subject: git: 151d5f620d9a - stable/14 - ipfw: fix checksum after NAT
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tuexen
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 151d5f620d9abd0fcea51aed465b8adb213ea3c3
Auto-Submitted: auto-generated
Date: Thu, 21 May 2026 11:25:50 +0000
Message-Id: <6a0eebbe.24512.4c532671@gitrepo.freebsd.org>

The branch stable/14 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=151d5f620d9abd0fcea51aed465b8adb213ea3c3

commit 151d5f620d9abd0fcea51aed465b8adb213ea3c3
Author:     Timo Völker <timo.voelker@fh-muenster.de>
AuthorDate: 2026-05-21 10:54:44 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2026-05-21 09:19:05 +0000

    ipfw: fix checksum after NAT
    
    When checksum offloading is used, IPFW needs to fix the checksum
    after libalias has done NAT. The ipfw_nat() function does so, but
    only for mbufs without a receiving interface. However, if, for example,
    the packet was sent inside a jail that used checksum offloading over
    an epair, ipfw still needs to fix the checksum even though the mbuf
    has set a receiving interface (epair).
    This patch just removes the check whether a receiving interface is set.
    
    PR:                     295057
    Reviewed by:            tuexen
    Differential Revision:  https://reviews.freebsd.org/D57091
    
    (cherry picked from commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f)
---
 sys/netpfil/ipfw/ip_fw_nat.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/sys/netpfil/ipfw/ip_fw_nat.c b/sys/netpfil/ipfw/ip_fw_nat.c
index 69b21eac041c..38ee9cea7f04 100644
--- a/sys/netpfil/ipfw/ip_fw_nat.c
+++ b/sys/netpfil/ipfw/ip_fw_nat.c
@@ -312,17 +312,17 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m)
 	/*
 	 * XXX - Libalias checksum offload 'duct tape':
 	 *
-	 * locally generated packets have only pseudo-header checksum
-	 * calculated and libalias will break it[1], so mark them for
-	 * later fix.  Moreover there are cases when libalias modifies
+	 * When checksum offloading is used, packets contain only the
+	 * pseudo-header checksum and libalias will break it[1], so mark them
+	 * for later fix.  Moreover there are cases when libalias modifies
 	 * tcp packet data[2], mark them for later fix too.
 	 *
 	 * [1] libalias was never meant to run in kernel, so it does
 	 * not have any knowledge about checksum offloading, and
 	 * expects a packet with a full internet checksum.
-	 * Unfortunately, packets generated locally will have just the
-	 * pseudo header calculated, and when libalias tries to adjust
-	 * the checksum it will actually compute a wrong value.
+	 * Unfortunately, when checksum offloading is used, packets will
+	 * contain just the pseudo-header checksum, and when libalias tries to
+	 * adjust the checksum it will actually compute a wrong value.
 	 *
 	 * [2] when libalias modifies tcp's data content, full TCP
 	 * checksum has to be recomputed: the problem is that
@@ -341,8 +341,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m)
 	 * it can handle delayed checksum and tso)
 	 */
 
-	if (mcl->m_pkthdr.rcvif == NULL &&
-	    mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA)
+	if (mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA)
 		ldt = 1;
 
 	c = mtod(mcl, char *);