svn commit: r290669 - stable/10/sys/netpfil/pf

[Kristof Provost]

Author: kp
Date: Wed Nov 11 12:36:42 2015
New Revision: 290669
URL: https://svnweb.freebsd.org/changeset/base/290669

Log:
  MFC r290161:
  
  pf: Fix IPv6 checksums with route-to.
  
  When using route-to (or reply-to) pf sends the packet directly to the output
  interface. If that interface doesn't support checksum offloading the checksum
  has to be calculated in software.
  That was already done in the IPv4 case, but not for the IPv6 case. As a result
  we'd emit packets with pseudo-header checksums (i.e. incorrect checksums).
  
  This issue was exposed by the changes in r289316 when pf stopped performing full
  checksum calculations for all packets.
  
  Submitted by:       Luoqi Chen

Modified:
  stable/10/sys/netpfil/pf/pf.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf.c	Wed Nov 11 01:32:35 2015	(r290668)
+++ stable/10/sys/netpfil/pf/pf.c	Wed Nov 11 12:36:42 2015	(r290669)
@@ -5576,6 +5576,13 @@ pf_route6(struct mbuf **m, struct pf_rul
 	if (ifp->if_flags & IFF_LOOPBACK)
 		m0->m_flags |= M_SKIP_FIREWALL;
 
+	if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
+	    ~ifp->if_hwassist) {
+		uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6);
+		in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr));
+		m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+	}
+
 	/*
 	 * If the packet is too large for the outgoing interface,
 	 * send back an icmp6 error.