Re: vtnet rxcsum broken for forwarding RELENG_13 ?

In reply to: Kristof Provost : "Re: vtnet rxcsum broken for forwarding RELENG_13 ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Charles Sprickman <spork_at_bway.net>
Date: Tue, 12 Apr 2022 20:44:28 UTC

> On Apr 12, 2022, at 3:48 PM, Kristof Provost <kp@FreeBSD.org> wrote:
> 
> On 12 Apr 2022, at 21:40, Charles Sprickman wrote:
> 
> On Apr 12, 2022, at 6:43 AM, Kristof Provost <kp@FreeBSD.org> wrote:
> 
> On 12 Apr 2022, at 2:07, Matt Garber wrote:
> 
> On Mon, Apr 11, 2022 at 7:15 PM mike tancsa <mike@sentex.net> wrote:
> 
> I was setting up a VM pf firewall and noticed I was not able to nat out 
> for some reason. Looking at the pcap, it seems when the vm is in 
> forwarding mode, I get tcp checksum errors. If I do a
> 
> ifconfig vtnet1 -rxcsum
> 
> ifconfig vtnet0 -rxcsum
> 
> nat then seems to work fine
> 
> The setup is a simple VM with the hypervisor libvirt/KVM ubuntu 20 LTS. 
> Guest is RELENG_13 from Apr 11/2022. If I change to em nics in the VM, 
> all is fine out of the box.
> 
> I opened up https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263229
> 
> Unless someone knows otherwise, I’ve been under the impression that PF — or 
> potentially any of the other FreeBSD firewalls (?), but I use PF — has been 
> “broken” in that regard on Linux KVM-based FreeBSD guests for years. As 
> such I’ve always needed to use csum_disable flags on the vtnet interfaces 
> or suffer *extremely* poor network performance, even for servers not doing 
> NAT forwarding.
> 
> That PF checksum issue was fixed c110fc49da2995d10d60d908af0838ecb4be9bee, back in 2015.
> 
> Do you have a bug ID that references this issue/fix?
> 
> 
> commit c110fc49da2995d10d60d908af0838ecb4be9bee
> Author: Kristof Provost <kp@FreeBSD.org>
> Date:   Wed Oct 14 16:21:41 2015 +0000
> 
>     pf: Fix TSO issues
> 
>     In certain configurations (mostly but not exclusively as a VM on Xen) pf
>     produced packets with an invalid TCP checksum.
> 
>     The problem was that pf could only handle packets with a full checksum. The
>     FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only
>     addresses, length and protocol).
>     Certain network interfaces expect to see the pseudo-header checksum, so they
>     end up producing packets with invalid checksums.
> 
>     To fix this stop calculating the full checksum and teach pf to only update TCP
>     checksums if TSO is disabled or the change affects the pseudo-header checksum.
> 
>     PR:             154428, 193579, 198868
>     Reviewed by:    sbruno
>     MFC after:      1 week
>     Relnotes:       yes
>     Sponsored by:   RootBSD
>     Differential Revision:  https://reviews.freebsd.org/D3779
> 
> Kristof


Thanks!

For reference, here’s links to the PRs:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=154428
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193579
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198868

And the others referenced earlier in the thread:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263229

Charles