Re: vtnet rxcsum broken for forwarding RELENG_13 ?

From: Kristof Provost <>
Date: Tue, 12 Apr 2022 19:48:53 UTC

On 12 Apr 2022, at 21:40, Charles Sprickman wrote:

>> On Apr 12, 2022, at 6:43 AM, Kristof Provost <> wrote:
>> On 12 Apr 2022, at 2:07, Matt Garber wrote:
>>> On Mon, Apr 11, 2022 at 7:15 PM mike tancsa <> wrote:
>>>> I was setting up a VM pf firewall and noticed I was not able to nat 
>>>> out
>>>> for some reason. Looking at the pcap, it seems when the vm is in
>>>> forwarding mode, I get tcp checksum errors. If I do a
>>>> ifconfig vtnet1 -rxcsum
>>>> ifconfig vtnet0 -rxcsum
>>>> nat then seems to work fine
>>>> The setup is a simple VM with the hypervisor libvirt/KVM ubuntu 20 
>>>> LTS.
>>>> Guest is RELENG_13 from Apr 11/2022. If I change to em nics in the 
>>>> VM,
>>>> all is fine out of the box.
>>>> I opened up 
>>> Unless someone knows otherwise, I’ve been under the impression 
>>> that PF — or
>>> potentially any of the other FreeBSD firewalls (?), but I use PF — 
>>> has been
>>> “broken” in that regard on Linux KVM-based FreeBSD guests for 
>>> years. As
>>> such I’ve always needed to use csum_disable flags on the vtnet 
>>> interfaces
>>> or suffer *extremely* poor network performance, even for servers not 
>>> doing
>>> NAT forwarding.
>> That PF checksum issue was fixed 
>> c110fc49da2995d10d60d908af0838ecb4be9bee, back in 2015.
> Do you have a bug ID that references this issue/fix?
	commit c110fc49da2995d10d60d908af0838ecb4be9bee
	Author: Kristof Provost <>
	Date:   Wed Oct 14 16:21:41 2015 +0000

	    pf: Fix TSO issues

	    In certain configurations (mostly but not exclusively as a VM on 
Xen) pf
	    produced packets with an invalid TCP checksum.

	    The problem was that pf could only handle packets with a full 
checksum. The
	    FreeBSD IP stack produces TCP packets with a pseudo-header checksum 
	    addresses, length and protocol).
	    Certain network interfaces expect to see the pseudo-header 
checksum, so they
	    end up producing packets with invalid checksums.

	    To fix this stop calculating the full checksum and teach pf to only 
update TCP
	    checksums if TSO is disabled or the change affects the 
pseudo-header checksum.

	    PR:             154428, 193579, 198868
	    Reviewed by:    sbruno
	    MFC after:      1 week
	    Relnotes:       yes
	    Sponsored by:   RootBSD
	    Differential Revision: