[Bug 172648] [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK

Ermal Luçi eri at freebsd.org
Mon Nov 10 08:46:33 UTC 2014 

Give this patch inline a try:

--- a/patches/releng/10.1/pf_reply-to.enahnce.diff
+++ b/patches/releng/10.1/pf_reply-to.enahnce.diff
@@ -1,8 +1,33 @@
+diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
+index 837b617..b6c37a9 100644
+--- a/sys/netinet6/ip6_output.c
++++ b/sys/netinet6/ip6_output.c
+@@ -185,7 +185,7 @@ static int copypktopts(struct ip6_pktopts *,
struct ip6_pktopts *, int);
+ 	}\
+     } while (/*CONSTCOND*/ 0)
+
+-static void
++void
+ in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset)
+ {
+ 	u_short csum;
+diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
+index 70e487e..0d72b37 100644
+--- a/sys/netinet6/ip6_var.h
++++ b/sys/netinet6/ip6_var.h
+@@ -445,6 +445,7 @@ int	rip6_usrreq(struct socket *,
+ int	dest6_input(struct mbuf **, int *, int);
+ int	none_input(struct mbuf **, int *, int);
+
++void	in6_delayed_cksum(struct mbuf *, uint32_t, u_short);
+ int	in6_selectsrc(struct sockaddr_in6 *, struct ip6_pktopts *,
+ 	struct inpcb *inp, struct route_in6 *, struct ucred *cred,
+ 	struct ifnet **, struct in6_addr *);
 diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
-index 6bc7ce6..2ceaf0e 100644
+index a76d06e..257fae2 100644
 --- a/sys/netpfil/pf/pf.c
 +++ b/sys/netpfil/pf/pf.c
-@@ -343,11 +343,9 @@ do {							\
+@@ -335,11 +335,9 @@ do {							\
  		}           						\
  		if ((d) == PF_OUT &&					\
  		    (((s)->rule.ptr->rt == PF_ROUTETO &&		\
@@ -17,7 +42,7 @@ index 6bc7ce6..2ceaf0e 100644
  			return (PF_PASS);				\
  	} while (0)

-@@ -5888,7 +5886,12 @@ pf_route(struct mbuf **m, struct pf_rule *r,
int dir, struct ifnet *oifp,
+@@ -5646,7 +5644,12 @@ pf_route(struct mbuf **m, struct pf_rule *r,
int dir, struct ifnet *oifp,
  	else if (r->rt == PF_ROUTETO && r->direction == dir &&
in_localip(ip->ip_dst))
  		return;

@@ -31,7 +56,7 @@ index 6bc7ce6..2ceaf0e 100644
  		if (in_broadcast(ip->ip_dst, oifp)) /* XXX: LOCKING of address list?! */
  			return;

-@@ -6127,7 +6130,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r,
int dir, struct ifnet *oifp,
+@@ -5885,7 +5888,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r,
int dir, struct ifnet *oifp,
         } else if (r->rt == PF_ROUTETO && r->direction == dir &&
in6_localaddr(&ip6->ip6_dst))
  	       return;

@@ -45,3 +70,31 @@ index 6bc7ce6..2ceaf0e 100644

  		if (s && r->rt == PF_ROUTETO && pd->nat_rule != NULL &&
  			r->direction == PF_OUT && r->direction == dir && pd->pf_mtag->routed < 2) {
+diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
+index dbd92f9..621a4f5 100644
+--- a/sys/netpfil/pf/pf_ioctl.c
++++ b/sys/netpfil/pf/pf_ioctl.c
+@@ -72,6 +72,7 @@ __FBSDID("$FreeBSD$");
+ #include <netinet/in.h>
+ #include <netinet/ip.h>
+ #include <netinet/ip_var.h>
++#include <netinet6/ip6_var.h>
+ #include <netinet/ip_icmp.h>
+
+ #ifdef INET6
+@@ -3690,12 +3691,9 @@ pf_check6_out(void *arg, struct mbuf **m,
struct ifnet *ifp, int dir,
+ 	int chk;
+
+ 	/* We need a proper CSUM before we start (s. OpenBSD ip_output) */
+-	if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+-#ifdef INET
+-		/* XXX-BZ copy&paste error from r126261? */
+-		in_delayed_cksum(*m);
+-#endif
+-		(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
++	if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
++		in6_delayed_cksum(*m, (*m)->m_pkthdr.len - sizeof(struct ip6_hdr),
sizeof(struct ip6_hdr));
++		(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+ 	}
+ 	CURVNET_SET(ifp->if_vnet);
+ 	chk = pf_test6(PF_OUT, ifp, m, inp);


On Wed, Nov 5, 2014 at 3:29 PM, <bugzilla-noreply at freebsd.org> wrote:

> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172648
>
> Kurt Jaeger <pi at FreeBSD.org> changed:
>
>            What    |Removed                     |Added
>
> ----------------------------------------------------------------------------
>                  CC|                            |pi at FreeBSD.org
>
> --- Comment #3 from Kurt Jaeger <pi at FreeBSD.org> ---
> See
>
> https://lists.freebsd.org/pipermail/freebsd-net/2014-November/040319.html
>
> --
> You are receiving this mail because:
> You are the assignee for the bug.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>



-- 
Ermal

More information about the freebsd-pf mailing list