git: 78de09e1412e - releng/15.1 - ipfw: fix checksum after NAT
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 May 2026 21:21:57 UTC
The branch releng/15.1 has been updated by cperciva:
URL: https://cgit.FreeBSD.org/src/commit/?id=78de09e1412e2e720a2391457f65717248bad4f4
commit 78de09e1412e2e720a2391457f65717248bad4f4
Author: Timo Völker <timo.voelker@fh-muenster.de>
AuthorDate: 2026-05-21 10:54:44 +0000
Commit: Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2026-05-21 21:21:05 +0000
ipfw: fix checksum after NAT
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
Approved by: re (cperciva)
PR: 295057
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D57091
(cherry picked from commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f)
(cherry picked from commit 198379d2c29fae7300b650a96199e51a66b87364)
---
sys/netpfil/ipfw/ip_fw_nat.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/sys/netpfil/ipfw/ip_fw_nat.c b/sys/netpfil/ipfw/ip_fw_nat.c
index 8bd27f6885ab..34e60edfc4a5 100644
--- a/sys/netpfil/ipfw/ip_fw_nat.c
+++ b/sys/netpfil/ipfw/ip_fw_nat.c
@@ -311,17 +311,17 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m)
/*
* XXX - Libalias checksum offload 'duct tape':
*
- * locally generated packets have only pseudo-header checksum
- * calculated and libalias will break it[1], so mark them for
- * later fix. Moreover there are cases when libalias modifies
+ * When checksum offloading is used, packets contain only the
+ * pseudo-header checksum and libalias will break it[1], so mark them
+ * for later fix. Moreover there are cases when libalias modifies
* tcp packet data[2], mark them for later fix too.
*
* [1] libalias was never meant to run in kernel, so it does
* not have any knowledge about checksum offloading, and
* expects a packet with a full internet checksum.
- * Unfortunately, packets generated locally will have just the
- * pseudo header calculated, and when libalias tries to adjust
- * the checksum it will actually compute a wrong value.
+ * Unfortunately, when checksum offloading is used, packets will
+ * contain just the pseudo-header checksum, and when libalias tries to
+ * adjust the checksum it will actually compute a wrong value.
*
* [2] when libalias modifies tcp's data content, full TCP
* checksum has to be recomputed: the problem is that
@@ -340,8 +340,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m)
* it can handle delayed checksum and tso)
*/
- if (mcl->m_pkthdr.rcvif == NULL &&
- mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA)
+ if (mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA)
ldt = 1;
c = mtod(mcl, char *);