Bug 203275 - ipfilter IPv6 checksum error with stateful inspecition
Summary: ipfilter IPv6 checksum error with stateful inspecition
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.0-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: Cy Schubert
URL:
Keywords:
: 203585 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-09-23 02:25 UTC by Cy Schubert
Modified: 2019-12-12 20:45 UTC (History)
3 users (show)

See Also:


Attachments
correct IPv6 checksum calculation (625 bytes, patch)
2015-09-23 02:27 UTC, Cy Schubert
no flags Details | Diff
DTrace bad packets (10.94 KB, patch)
2016-03-23 02:18 UTC, Cy Schubert
no flags Details | Diff
patch to revert ip6 chksum changes that break ipfilter (5.83 KB, patch)
2016-12-22 11:22 UTC, andywhite
no flags Details | Diff
Partial patch to "teach" ipfilter about changed IPv6 checksum calculations (3.60 KB, patch)
2017-01-27 08:30 UTC, Cy Schubert
no flags Details | Diff
This patch is a little closer to what pf does when ipv6 cksum is zero. (3.81 KB, patch)
2017-02-07 21:03 UTC, Cy Schubert
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer 2015-09-23 02:25:08 UTC
Since FreeBSD 10.0 (IP Filter 5.1.2) stateful inspection is broken due to incorrect checksum calculation.
Comment 1 Cy Schubert freebsd_committer 2015-09-23 02:27:26 UTC
Created attachment 161294 [details]
correct IPv6 checksum calculation

This patch correctly calculates IPv6 checksum, omitting header length, but including version number and payload length as required by IPv6.
Comment 2 Cy Schubert freebsd_committer 2015-09-25 05:44:32 UTC
Comment on attachment 161294 [details]
correct IPv6 checksum calculation

>Index: fil.c
>===================================================================
>--- fil.c	(revision 287906)
>+++ fil.c	(working copy)
>@@ -3433,8 +3433,8 @@
> 		sum += *sp++;
> #ifdef	USE_INET6
> 	} else if (IP_V(ip) == 6) {
>+		sum += (u_short)ip->ip_v; /* version */
> 		ip6 = (ip6_t *)ip;
>-		hlen = sizeof(*ip6);
> 		off = ((char *)fin->fin_dp - (char *)fin->fin_ip);
> 		sp = (u_short *)&ip6->ip6_src;
> 		sum += *sp++;	/* ip6_src */
>@@ -3454,6 +3454,10 @@
> 		sum += *sp++;
> 		sum += *sp++;
> 		sum += *sp++;
>+		sum += *sp++;	/* payload length */
>+		sum += *sp++;
>+		sum += *sp++;
>+		sum += *sp++;
> 	} else {
> 		return 0xffff;
> 	}

Client tested patch, fails to work.
Comment 3 andywhite 2015-10-06 13:08:18 UTC
using dtrace, it is apparent that checksums are not passing validation as the checksum pulled up doesn't match the computed checksum in ipfilter.

for example, the packet generated by 

nc -vvvv -u -p 33907 ::1 53

generates a checksum of 0x2332 , which dtrace shows is what fr_cksum generates, this is compared to hdrsum and fails

hdrsum is sourced from th_sum for tcp and uh_sum for udp.  dtrace shows these values to be incorrect checksums.

udp and tcp checksums were changed in kernel for ipv6 in r235959 and r235961 to use pseudo checksums.

see bug 203585
Comment 4 Bjoern A. Zeeb freebsd_committer 2015-10-24 10:45:46 UTC
*** Bug 203585 has been marked as a duplicate of this bug. ***
Comment 5 Cy Schubert freebsd_committer 2016-03-23 02:18:47 UTC
Created attachment 168524 [details]
DTrace bad packets

The attached patch allows DTrace of bad packets. To use,

dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }'
Comment 6 Cy Schubert freebsd_committer 2016-04-07 04:13:41 UTC
The ipfilter dtrace code has just been committed to 11-CURRENT. Can you try with the following dtrace command: dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }'
Comment 7 frank 2016-12-22 10:24:37 UTC
Hi,

There does not seem to be much progress in this ticket. Unfortunately, it stops me from upgradeing my 9.3 systems, to 10.3 or 11.0.

Here is the dtrace you requested.


 0  57565 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x83
              kernel`ip6_output+0x1541
              kernel`udp6_send+0x9a9
              kernel`sosend_dgram+0x4d2
              kernel`kern_sendit+0x22a
              kernel`sendit+0x19f
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4ce
              kernel`0xffffffff80f8442b

  0  57565 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x83
              kernel`ip6_input+0x7a7
              kernel`swi_net+0x193
              kernel`intr_event_execute_handlers+0x20f
              kernel`ithread_loop+0xc6
              kernel`fork_exit+0x85
              kernel`0xffffffff80f8467e

  0  57565 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x83
              kernel`ip6_output+0x1541
              kernel`udp6_send+0x9a9
              kernel`sosend_dgram+0x4d2
              kernel`kern_sendit+0x22a
              kernel`sendit+0x19f
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4ce
              kernel`0xffffffff80f8442b

  0  57565 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x83
              kernel`ip6_output+0x1541
              kernel`udp6_send+0x9a9
              kernel`sosend_dgram+0x4d2
              kernel`kern_sendit+0x22a
              kernel`sendit+0x19f
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4ce
              kernel`0xffffffff80f8442b

  0  57565 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x83
              kernel`ip6_output+0x1541
              kernel`udp6_send+0x9a9
              kernel`sosend_dgram+0x4d2
              kernel`kern_sendit+0x22a
              kernel`sendit+0x19f
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4ce
              kernel`0xffffffff80f8442b
Comment 8 andywhite 2016-12-22 11:21:10 UTC
Yes, I made a patch that reverts the checksum changes that breaks ipv6.  This fixes the problem for me.
Comment 9 andywhite 2016-12-22 11:22:02 UTC
Created attachment 178202 [details]
patch to revert ip6 chksum changes that break ipfilter
Comment 10 frank 2016-12-22 14:26:52 UTC
O.k. I'm getting more confused by the minute :-(

With Andy's patch applied on FreeBSD 11.0 the problem with IP-Filter marking packets as bad is gone, and I can for example do DNS queries with IPv6 again.

However when I do an ssh with ipv6 to an other system (FreeBSD 9.3) then the connection fails. 
When I use tcpdump or tshark, they both report a TCP Checksum error on the incoming SSH packet.
With a generic FreeBSD 11.0 kernel and ipfilter disabled, this connection works fine without checksum errors.

My (possible inaccurate or incorrect) conclusion thus is: the patch in r235959 and r235961 is probably correct (also because of they fact that the patches are in the source since 2012).
Therefore we need to teach IP-Filter that the th_sum and uh_sum fields now contain a pseudo header checksum. At the moment, I have no clue how to do that.

To be hones I cannot explain why it does work for UDP.

I hope someboy can solve this, since it is stopping the upgrade from FreeBSD 9 to FreeBSD 10 or 11.
Comment 11 andywhite 2016-12-23 00:21:11 UTC
you are probably hitting another bug.  Make sure TSO is disabled on your NIC
Comment 12 Cy Schubert freebsd_committer 2016-12-23 17:42:37 UTC
Can you provide the following dtrace output please?

dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }' -n 'sdt:::l4sums /args[0] != args[1]/  { printf("%d %d\n",args[0],args[1]); }'
Comment 13 frank 2016-12-25 20:23:14 UTC
Hi,

Here is the output you requested (a few DNS lookups and SSH sessions initated from the FReeBSD 11.0 system).

Regards

Frank

dtrace: description 'sdt:::ipf_fi_bad_* ' matched 34 probes
dtrace: description 'sdt:::l4sums ' matched 1 probe
CPU     ID                    FUNCTION:NAME
  0  57669                      none:l4sums 7168 43121

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 7168 43121

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_input+0xb98
              kernel`swi_net+0x1d1
              kernel`intr_event_execute_handlers+0x220
              kernel`ithread_loop+0xc6
              kernel`fork_exit+0x85
              kernel`0xffffffff80f58a6e

  0  57669                      none:l4sums 15708 28175

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 15708 28175

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 15708 28175

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 7168 571

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 7168 571

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_input+0xb98
              kernel`swi_net+0x1d1
              kernel`intr_event_execute_handlers+0x220
              kernel`ithread_loop+0xc6
              kernel`fork_exit+0x85
              kernel`0xffffffff80f58a6e

  0  57669                      none:l4sums 15708 11214

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 15708 11214

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 15708 11214

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 24866 48280

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`tcp_output+0x194a
              kernel`tcp6_usr_connect+0x1c3
              kernel`kern_connectat+0x125
              kernel`sys_connect+0x77
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 7168 54144

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 7168 54144

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_input+0xb98
              kernel`swi_net+0x1d1
              kernel`intr_event_execute_handlers+0x220
              kernel`ithread_loop+0xc6
              kernel`fork_exit+0x85
              kernel`0xffffffff80f58a6e

  0  57669                      none:l4sums 15708 39504

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 15708 39504

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 15708 39504

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`udp6_send+0x9bd
              kernel`sosend_dgram+0x470
              kernel`kern_sendit+0x244
              kernel`sendit+0x18e
              kernel`sys_sendmsg+0x61
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b

  0  57669                      none:l4sums 24866 19085

  0  57653 none:ipf_fi_bad_checkv6sum_checkl4sum
              ipl.ko`ipf_makefrip+0xd3b
              ipl.ko`ipf_check+0x16a
              kernel`pfil_run_hooks+0x84
              kernel`ip6_output+0x1653
              kernel`tcp_output+0x194a
              kernel`tcp6_usr_connect+0x1c3
              kernel`kern_connectat+0x125
              kernel`sys_connect+0x77
              kernel`amd64_syscall+0x4df
              kernel`0xffffffff80f5881b
Comment 14 Cy Schubert freebsd_committer 2017-01-27 08:30:01 UTC
Created attachment 179344 [details]
Partial patch to "teach" ipfilter about changed IPv6 checksum calculations

This is not a perfect patch but generally addresses the issue. Like pf it doesn't calculate ICMPV6 checksums, letting them pass regardless (this will need to be addressed in ipfilter and pf).

If you still have problems after applying the patch, please temporarily delete your ipfilter rules using: ipf -Fa, then run the following dtrace command and post the output.

dtrace \
-n 'fbt::ipf_pcksum:entry { printf("hlen = %d  sum = %d\n", args[2], args[3]); }' \
-n 'fbt::ipf_pcksum:return { printf("rc = %d\n", arg1); }' \
-n 'sdt:::l4sums /args[0] != args[1]/ { printf("%d %d\n",args[0],args[1]); }'
Comment 15 frank 2017-01-29 11:10:05 UTC
Unfortunately, the patch does not seem to work. 
For example for this command:

   dig @2001:888:0:7::77 ntp2-2.xs4all.nl

The following dtrace is produced (and the outgoing packet is blocked by ipfilter marked as BAD):

  0  56620                 ipf_pcksum:entry hlen = 40  sum = 0

  0  57511                      none:l4sums 7168 50236

  0  56620                 ipf_pcksum:entry hlen = 40  sum = 0

  0  57511                      none:l4sums 7168 50236

  0  56620                 ipf_pcksum:entry hlen = 40  sum = 0

  0  57511                      none:l4sums 12636 44155

  0  56620                 ipf_pcksum:entry hlen = 40  sum = 0

  0  57511                      none:l4sums 12636 44155

  0  56620                 ipf_pcksum:entry hlen = 40  sum = 0

  0  57511                      none:l4sums 12636 44155


Similar outgoing ssh on ipv6 fails with "network unreachable", a BAD outgoing packet and the following DTRACE:

  0  56620                 ipf_pcksum:entry hlen = 40  sum = 0

  0  57511                      none:l4sums 24866 10256
Comment 16 Cy Schubert freebsd_committer 2017-02-07 21:03:03 UTC
Created attachment 179727 [details]
This patch is a little closer to what pf does when ipv6 cksum is zero.

This patch circumvents the issue when the checksum calculates to zero. This similar to what pf does at line 5790 of pf.c r313001.
Comment 17 frank 2017-02-11 16:44:36 UTC
Comment on attachment 179727 [details]
This patch is a little closer to what pf does when ipv6 cksum is zero.

On my test system (11.0 RELEASE) this seems to do the trick.
No more ipv6 packets (incoming or outgoing) marked as BAD at the moment.

I leave the system running for some more time. Then if I find no issues, I will backport the patch to one of my production 10.3 systems.....

Thanks,

Frank
Comment 18 frank 2017-02-12 18:58:17 UTC
Switched a 10.3 production system back to IP-Filter with the latest patch applied.

So far so good, no blocking of packets marked as BAD and everything seems to work fine. 

Also the 11.0 test system still runs smoothly with this patch applied.
Comment 19 Cy Schubert freebsd_committer 2017-07-12 06:02:05 UTC
Do you have anything to report?
Comment 20 frank 2017-07-12 07:40:58 UTC
Hi,

I have not seen any IPv6 packets being marked as BAD on my 3 FreeBSD 10.3 systems since I applied the patch. I do not have FreeBSD 11 systems in production at the moment.

So, I think the patch it good, and I would love to see it in FreeBSD 10.4 and FreeBSD 11.1 if possible.

Many thanks for yhour efforts!

Regards,

Frank
Comment 21 Cy Schubert freebsd_committer 2017-07-12 12:24:07 UTC
I'll try. I'm not enamoured with the patch as it needs some rework.
Comment 22 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:48:06 UTC
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Comment 23 Cy Schubert freebsd_committer 2018-05-28 19:55:48 UTC
I have a workaround in my tree that implements what pf does. I'll look at committing it.
Comment 24 commit-hook freebsd_committer 2019-06-12 11:08:16 UTC
A commit references this bug:

Author: cy
Date: Wed Jun 12 11:06:59 UTC 2019
New revision: 348987
URL: https://svnweb.freebsd.org/changeset/base/348987

Log:
  Resolve IPv6 checksum errors with stateful inspection. According to
  PR/203585 this appears to have been broken by r235959, which predates
  the ipfilter 5.1.2 import into FreeBSD.

  The IPv6 checksum calculation is incorrect. To resolve this we call
  in6_cksum() to do the the heavy lifting for us, through a new function
  ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
  is added to aid with future debugging.

  PR:		203275, 203585
  MFC after:	1 month
  Differential Revision:	https://reviews.freebsd.org/D20583

Changes:
  head/sys/contrib/ipfilter/netinet/fil.c
  head/sys/contrib/ipfilter/netinet/ip_fil.h
  head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
Comment 25 Cy Schubert freebsd_committer 2019-06-13 00:44:17 UTC
Fixed.
Comment 26 commit-hook freebsd_committer 2019-07-12 00:51:37 UTC
A commit references this bug:

Author: cy
Date: Fri Jul 12 00:50:36 UTC 2019
New revision: 349927
URL: https://svnweb.freebsd.org/changeset/base/349927

Log:
  MFC r348987, r348989:

  Resolve IPv6 checksum errors with stateful inspection. According to
  PR/203585 this appears to have been broken by r235959, which predates
  the ipfilter 5.1.2 import into FreeBSD.

  The IPv6 checksum calculation is incorrect. To resolve this we call
  in6_cksum() to do the the heavy lifting for us, through a new function
  ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
  is added to aid with future debugging.

  Plus whitespace adjustments (r348989).

  PR:		203275, 203585
  Differential Revision:	https://reviews.freebsd.org/D20583

Changes:
_U  stable/10/
  stable/10/sys/contrib/ipfilter/netinet/fil.c
  stable/10/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/10/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
_U  stable/11/
  stable/11/sys/contrib/ipfilter/netinet/fil.c
  stable/11/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
_U  stable/12/
  stable/12/sys/contrib/ipfilter/netinet/fil.c
  stable/12/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/12/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
Comment 27 commit-hook freebsd_committer 2019-07-12 02:14:47 UTC
A commit references this bug:

Author: cy
Date: Fri Jul 12 02:14:07 UTC 2019
New revision: 349931
URL: https://svnweb.freebsd.org/changeset/base/349931

Log:
  MFC r349927, r349929:

  r349927:
    Resolve IPv6 checksum errors with stateful inspection. According to
    PR/203585 this appears to have been broken by r235959, which predates
    the ipfilter 5.1.2 import into FreeBSD.

    The IPv6 checksum calculation is incorrect. To resolve this we call
    in6_cksum() to do the the heavy lifting for us, through a new function
    ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
    is added to aid with future debugging.

    Plus whitespace adjustments (r348989).

    PR:		203275, 203585
    Differential Revision:	https://reviews.freebsd.org/D20583

  r349929:
    Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c.
    The reason for this is that ipftest(8), which still works on FreeBSD-11,
    fails to link to it, breaking stable/11 builds.

    ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle.
    glebius@ suggested we disable building it until I can get around to
    fixing it. Hence this was not caught in -current.

    The intention is to fix ipftest(8) as it is used by the netbsd-tests
    (imported by ngie@ many moons ago) for regression testing.

Changes:
_U  stable/10/
  stable/10/sys/contrib/ipfilter/netinet/fil.c
  stable/10/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/10/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
_U  stable/11/
  stable/11/sys/contrib/ipfilter/netinet/fil.c
  stable/11/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
Comment 28 commit-hook freebsd_committer 2019-12-12 20:45:46 UTC
A commit references this bug:

Author: cy
Date: Thu Dec 12 20:44:46 UTC 2019
New revision: 355669
URL: https://svnweb.freebsd.org/changeset/base/355669

Log:
  in6_cksum() returns zero when checksums are good.

  PR:		203275
  Reported by:	Frank Volf <frank@deze.org>
  MFC after:	3 days

Changes:
  head/sys/contrib/ipfilter/netinet/fil.c