193579 – [axge] axge driver issue with tcp checksum offload with pf nat

Bug 193579 - [axge] axge driver issue with tcp checksum offload with pf nat

Summary: [axge] axge driver issue with tcp checksum offload with pf nat

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.0-STABLE
Hardware:	amd64 Any

Importance:	--- Affects Some People
Assignee:	Kristof Provost

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-09-12 08:58 UTC by fireball
Modified:	2016-12-27 19:37 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	koobs: mfc-stable10+ koobs: mfc-stable9+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description fireball 2014-09-12 08:58:44 UTC

When crossing NAT from e.g. pfsense, packets sent from the axge driver will generate bad checksums (as seen in tcpdump), which eventually results in connection aborts.

Test within the the same zone (i.e. not crossing NAT) generates no checksum errors and no connections aborts.

FreeBSD jail.zerouptime.ch 10.0-STABLE FreeBSD 10.0-STABLE #0 r270340: Fri Aug 22 19:05:34 UTC 2014     root@grind.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

root@jail:~ # kldstat
Id Refs Address            Size     Name
 1   11 0xffffffff80200000 17143c0  kernel
 2    1 0xffffffff81a11000 4198     if_axge.ko
 3    1 0xffffffff81a16000 2af5     uether.ko

Tested hardware: Delock 62121 USB 3.0 Adapter in USB 2.0 compatibility mode.

usbconfig relevant output:
ugen1.2: <AX88179 ASIX Elec. Corp.> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (248mA)

Comment 1 Mark Linimon freebsd_committer

2014-10-20 01:49:09 UTC

Over to maintainers.

Comment 2 fireball 2014-11-17 00:04:41 UTC

I bought another usb ethernet adapter, this time 100 Mbit which is using the axe driver and I have the same problem.

That means:

- within the DMZ of my pfsense firewall I can transfer files without problems
- across the NAT of my pfsense the connection interupts if the transfer goes beyond listing a directory

This also makes it look like it's a general uether issue.

Comment 3 commit-hook freebsd_committer

2015-10-14 16:22:13 UTC

A commit references this bug:

Author: kp
Date: Wed Oct 14 16:21:41 UTC 2015
New revision: 289316
URL: https://svnweb.freebsd.org/changeset/base/289316

Log:
  pf: Fix TSO issues

  In certain configurations (mostly but not exclusively as a VM on Xen) pf
  produced packets with an invalid TCP checksum.

  The problem was that pf could only handle packets with a full checksum. The
  FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only
  addresses, length and protocol).
  Certain network interfaces expect to see the pseudo-header checksum, so they
  end up producing packets with invalid checksums.

  To fix this stop calculating the full checksum and teach pf to only update TCP
  checksums if TSO is disabled or the change affects the pseudo-header checksum.

  PR:		154428, 193579, 198868
  Reviewed by:	sbruno
  MFC after:	1 week
  Relnotes:	yes
  Sponsored by:	RootBSD
  Differential Revision:	https://reviews.freebsd.org/D3779

Changes:
  head/sys/net/pfvar.h
  head/sys/netpfil/pf/pf.c
  head/sys/netpfil/pf/pf_ioctl.c
  head/sys/netpfil/pf/pf_norm.c

Comment 4 fireball 2015-10-14 19:27:42 UTC

Outstanding! That's probably it, since I also had this issue on ESXi Server hosts.

Comment 5 commit-hook freebsd_committer

2015-10-21 15:33:23 UTC

A commit references this bug:

Author: kp
Date: Wed Oct 21 15:32:21 UTC 2015
New revision: 289703
URL: https://svnweb.freebsd.org/changeset/base/289703

Log:
  MFC r289316:

  pf: Fix TSO issues

  In certain configurations (mostly but not exclusively as a VM on Xen) pf
  produced packets with an invalid TCP checksum.

  The problem was that pf could only handle packets with a full checksum. The
  FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only
  addresses, length and protocol).
  Certain network interfaces expect to see the pseudo-header checksum, so they
  end up producing packets with invalid checksums.

  To fix this stop calculating the full checksum and teach pf to only update TCP
  checksums if TSO is disabled or the change affects the pseudo-header checksum.

  PR:             154428, 193579, 198868
  Relnotes:       yes
  Sponsored by:   RootBSD

Changes:
_U  stable/10/
  stable/10/sys/net/pfvar.h
  stable/10/sys/netpfil/pf/pf.c
  stable/10/sys/netpfil/pf/pf_ioctl.c
  stable/10/sys/netpfil/pf/pf_norm.c

Comment 6 commit-hook freebsd_committer

2015-12-25 15:13:11 UTC

A commit references this bug:

Author: kp
Date: Fri Dec 25 15:12:12 UTC 2015
New revision: 292731
URL: https://svnweb.freebsd.org/changeset/base/292731

Log:
  pf: Fix TSO issues

  In certain configurations (mostly but not exclusively as a VM on Xen) pf
  produced packets with an invalid TCP checksum.

  The problem was that pf could only handle packets with a full checksum. The
  FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only
  addresses, length and protocol).
  Certain network interfaces expect to see the pseudo-header checksum, so they
  end up producing packets with invalid checksums.

  To fix this stop calculating the full checksum and teach pf to only update TCP
  checksums if TSO is disabled or the change affects the pseudo-header checksum.

  PR:             154428, 193579, 198868
  Sponsored by:   RootBSD

Changes:
  stable/9/sys/contrib/pf/net/pf.c
  stable/9/sys/contrib/pf/net/pf_ioctl.c
  stable/9/sys/contrib/pf/net/pf_norm.c
  stable/9/sys/contrib/pf/net/pfvar.h

Comment 7 Kubilay Kocak freebsd_committer

2015-12-25 15:52:34 UTC

Assign to committer that's taking care of (resolving) this issue

Comment 8 Kubilay Kocak freebsd_committer

2015-12-25 15:52:48 UTC

Whoops, wrong one