[Bug 291420] [epair] Bad UDP packet checksum with epair(4) and txcsum enabled

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 15 Dec 2025 10:45:16 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291420

--- Comment #27 from Timo Voelker <timo.voelker@fh-muenster.de> ---
(In reply to leper from comment #22)

Thanks for sharing your setup. If I got it right, it looks like this:

DNS-Jail         Host                   VM-Jail      Ubuntu-VM
 e0b_dns---e0a_dns  e0a_vmjail---e0b_vmjail   tap0---vtnet0
               \       /               \       /
                bridge0                 bridge1

That's a good example where bridge capability synchronization fails. In an
unpatched FreeBSD tap0 has no txcsum and it cannot be enabled. When adding tap0
to bridge1, the bridge disables txcsum on all other member interfaces (and will
disable txcsum on interfaces newly added to that bridge). Thus, it disables
txcsum on e0b_vmjail, which, due to the capability sync between epair
interfaces, will disable txcsum on e0a_vmjail.

The core problem here is that the bridge does not notice changes made after
adding an interface. In this example, disabling txcsum on e0a_vmail does not
result in disabling txcsum on e0a_dns, which would disable txcsum on e0b_dns.

With txcsum enabled on e0b_dns, the DNS-Server uses checksum offloading for
outgoing packets and writes only the header checksum in the checksum field. For
a packet to the Ubuntu-VM, bridge1 forwards the packet that still needs a valid
checksum out over tap0 which has txcsum disabled.

I guess we need to add txcsum to the bridge, which then computes the checksum
in software if the outgoing interface does not support txcsum.

-- 
You are receiving this mail because:
You are on the CC list for the bug.