Re: IPv6 checksum errors with divert

From: Peter <pmc_at_citylink.dinoex.sub.org>
Date: Fri, 29 Oct 2021 20:33:14 +0200
Hi Andrey,

On Fri, Oct 29, 2021 at 08:45:38PM +0300, Andrey V. Elsukov wrote:
! 27.10.2021 16:28, Peter пишет:
! > I see these checksum error when the packet goes into the divert
! > socket, I see it when the packet comes back from divert, and I
! > see it when the packet goes out onto the network.
! 
! > But, when I remove the divert socket from the path, then I still
! > see the checksum error at the place where the divert would have
! > happened, but when the packet goes out to the network, the checksums
! > are okay.
! 
! Hi,
! 
! This is usually due to enabled IPv6 checksum offloading on the NIC. When

The nic is 'tun0', and I don't think it ever does hardware checksum offload.

! upper level protocols like TCP/UDP/SCTP send a packet, they can leave
! checksum for delayed calculation. This delayed calculation occurs when
! IP packet is going to the physical interface.

Yes, but when a packet goes thru divert(4), the CSUM_DELAY_DATA* flags
are lost, and cksum will not be inserted later when transmitting.

! Divert was designed for IPv4 only and it does not properly support
! another address families.

Ah, yes, I figured that. But suricata runs on divert, and it runs IPv4
and IPv6.
(suricata wants to dump ipfw support, but I don't want that to happen,
because it is just cute to be able to wire it arbitrarily into any
flow desired.)

! But you can try this patch:
!  https://people.freebsd.org/~ae/ipv6_divert_csum.diff

Yeah, I came up with mostly the same patch yesterday. ;) And it works!


I don't get why this isn't in the code. Divert my not be supposed
to support IPv6; but then, that code does already have some "#ifdef
INET6", so it does also not really /not/ support it - it is just stuck
somewhere in limbo.


Cheerio,
PMc
Received on Fri Oct 29 2021 - 18:33:14 UTC

Original text of this message