pf no-df breaking all tcp traffic through bridge

Thu Feb 23 17:06:52 PST 2006

I have setup if_bridge and pf on a server with dual em interfaces
running FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006.

rc.conf relevant items: (The IP's are just for temporary management from
either side of the firewall as needed)
ifconfig_em0="inet 10.0.0.80 netmask 0xffffff00"
ifconfig_em0_alias0="inet 35.9.44.100 netmask 0xffffff00"
ifconfig_em1="inet 10.0.1.80 netmask 0xffffff00"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"

I have narrowed my ruleset down to a simple config for testing:

ext_if="em0"
int_if="em1"
scrub in on $ext_if no-df
pass in all
pass out all
pass quick on lo0

# pfctl -Rf /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled

# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub in on em0 all no-df fragment reassemble
pass in all
pass out all
pass quick on lo0 all

Whenever I have no-df in the scrub line, the bridging firewall still
passes my ssh SYN packet to the host behind the firewall, but the 
receiving host discards it due to a bad IP checksum (I believe).

Using tcpdump on em0 and em1 on the firewall, I see the packet come in
with DF set, and leave with DF unset however the IP checksum is reported
bad on the em1 side according to ethereal.  Running tcpdump on the
receiving host shows the SYN packet, but trying to use -w to save it
to a file results in nothing captured.  I'm not sure how easy it would
be to get the receiving host to print a debug message when an IP packet
would be dropped due to bad IP sum.  All systems involved are FreeBSD
so far, and the symptoms persist going both directions across the bridge.
ping still works.  

I am trying to get no-df to work because documentation indicates it is
needed to pass NFS which will be a requirement for me.  I didn't get
very far with attempting to exclude just NFS traffic from being scrubbed,
but it seems to be that a firewall munging packets ought to produce ones
with valid checksums.  Please let me know if I need to provide more information
or what else I can do to debug this further.  