Re: vtnet rxcsum broken for forwarding RELENG_13 ?
- Reply: Patrick M. Hausen: "Re: vtnet rxcsum broken for forwarding RELENG_13 ?"
- Reply: Charles Sprickman : "Re: vtnet rxcsum broken for forwarding RELENG_13 ?"
- In reply to: Charles Sprickman : "Re: vtnet rxcsum broken for forwarding RELENG_13 ?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 12 Apr 2022 19:48:53 UTC
On 12 Apr 2022, at 21:40, Charles Sprickman wrote: >> On Apr 12, 2022, at 6:43 AM, Kristof Provost <kp@FreeBSD.org> wrote: >> >> On 12 Apr 2022, at 2:07, Matt Garber wrote: >>> On Mon, Apr 11, 2022 at 7:15 PM mike tancsa <mike@sentex.net> wrote: >>> >>>> I was setting up a VM pf firewall and noticed I was not able to nat >>>> out >>>> for some reason. Looking at the pcap, it seems when the vm is in >>>> forwarding mode, I get tcp checksum errors. If I do a >>>> >>>> ifconfig vtnet1 -rxcsum >>>> >>>> ifconfig vtnet0 -rxcsum >>>> >>>> nat then seems to work fine >>>> >>>> The setup is a simple VM with the hypervisor libvirt/KVM ubuntu 20 >>>> LTS. >>>> Guest is RELENG_13 from Apr 11/2022. If I change to em nics in the >>>> VM, >>>> all is fine out of the box. >>>> >>>> >>>> I opened up >>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263229 >>> >>> >>> >>> Unless someone knows otherwise, I’ve been under the impression >>> that PF — or >>> potentially any of the other FreeBSD firewalls (?), but I use PF — >>> has been >>> “broken” in that regard on Linux KVM-based FreeBSD guests for >>> years. As >>> such I’ve always needed to use csum_disable flags on the vtnet >>> interfaces >>> or suffer *extremely* poor network performance, even for servers not >>> doing >>> NAT forwarding. >>> >> That PF checksum issue was fixed >> c110fc49da2995d10d60d908af0838ecb4be9bee, back in 2015. > > Do you have a bug ID that references this issue/fix? > commit c110fc49da2995d10d60d908af0838ecb4be9bee Author: Kristof Provost <kp@FreeBSD.org> Date: Wed Oct 14 16:21:41 2015 +0000 pf: Fix TSO issues In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum. The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums. To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum. PR: 154428, 193579, 198868 Reviewed by: sbruno MFC after: 1 week Relnotes: yes Sponsored by: RootBSD Differential Revision: https://reviews.freebsd.org/D3779 Kristof