Bug 203585 - update 235959 and 235961 breaks ipv6 layer 4 checksums in ipf
Summary: update 235959 and 235961 breaks ipv6 layer 4 checksums in ipf
Status: Closed DUPLICATE of bug 203275
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.2-STABLE
Hardware: Any Any
: --- Affects Some People
Assignee: Bjoern A. Zeeb
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2015-10-06 13:02 UTC by andywhite
Modified: 2019-07-12 02:14 UTC (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description andywhite 2015-10-06 13:02:41 UTC 
r235959 changes ipv6 layer4 checksums for udp and
r235961 changes ipv6 layer4 checksums for tcp

these changes result in th_sum and uh_sum only containing pseudo checksum data, which breaks ipfilter checksum verification for stateful ipv6 .

sys/contrib/ipfilter/netinet/fil.c compares for tcp

csump = &((tcphdr_t *)fin->fin_dp)->th_sum; 

or for udp

csump = &udp->uh_sum;

against ipfilters own checksum functions fr_cksum , to validate checksums, this check now fails, resulting in ipfilter not being able to function statefully for ipv6 tcp/udp

see bug 203275
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2015-10-11 08:58:58 UTC 
Over to committer of two MFp4s in question.
Comment 2 Bjoern A. Zeeb freebsd_committer freebsd_triage 2015-10-24 10:45:46 UTC 
Hi,

let's track all of this in one bug report and not two.  I'll mark this as a DUP of the other one and we can follow-up there.

/bz

*** This bug has been marked as a duplicate of bug 203275 ***
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-06-12 11:08:19 UTC 
A commit references this bug:

Author: cy
Date: Wed Jun 12 11:06:59 UTC 2019
New revision: 348987
URL: https://svnweb.freebsd.org/changeset/base/348987

Log:
  Resolve IPv6 checksum errors with stateful inspection. According to
  PR/203585 this appears to have been broken by r235959, which predates
  the ipfilter 5.1.2 import into FreeBSD.

  The IPv6 checksum calculation is incorrect. To resolve this we call
  in6_cksum() to do the the heavy lifting for us, through a new function
  ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
  is added to aid with future debugging.

  PR:		203275, 203585
  MFC after:	1 month
  Differential Revision:	https://reviews.freebsd.org/D20583

Changes:
  head/sys/contrib/ipfilter/netinet/fil.c
  head/sys/contrib/ipfilter/netinet/ip_fil.h
  head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2019-07-12 00:51:39 UTC 
A commit references this bug:

Author: cy
Date: Fri Jul 12 00:50:36 UTC 2019
New revision: 349927
URL: https://svnweb.freebsd.org/changeset/base/349927

Log:
  MFC r348987, r348989:

  Resolve IPv6 checksum errors with stateful inspection. According to
  PR/203585 this appears to have been broken by r235959, which predates
  the ipfilter 5.1.2 import into FreeBSD.

  The IPv6 checksum calculation is incorrect. To resolve this we call
  in6_cksum() to do the the heavy lifting for us, through a new function
  ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
  is added to aid with future debugging.

  Plus whitespace adjustments (r348989).

  PR:		203275, 203585
  Differential Revision:	https://reviews.freebsd.org/D20583

Changes:
_U  stable/10/
  stable/10/sys/contrib/ipfilter/netinet/fil.c
  stable/10/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/10/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
_U  stable/11/
  stable/11/sys/contrib/ipfilter/netinet/fil.c
  stable/11/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
_U  stable/12/
  stable/12/sys/contrib/ipfilter/netinet/fil.c
  stable/12/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/12/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
Comment 5 commit-hook freebsd_committer freebsd_triage 2019-07-12 02:14:45 UTC 
A commit references this bug:

Author: cy
Date: Fri Jul 12 02:14:07 UTC 2019
New revision: 349931
URL: https://svnweb.freebsd.org/changeset/base/349931

Log:
  MFC r349927, r349929:

  r349927:
    Resolve IPv6 checksum errors with stateful inspection. According to
    PR/203585 this appears to have been broken by r235959, which predates
    the ipfilter 5.1.2 import into FreeBSD.

    The IPv6 checksum calculation is incorrect. To resolve this we call
    in6_cksum() to do the the heavy lifting for us, through a new function
    ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
    is added to aid with future debugging.

    Plus whitespace adjustments (r348989).

    PR:		203275, 203585
    Differential Revision:	https://reviews.freebsd.org/D20583

  r349929:
    Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c.
    The reason for this is that ipftest(8), which still works on FreeBSD-11,
    fails to link to it, breaking stable/11 builds.

    ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle.
    glebius@ suggested we disable building it until I can get around to
    fixing it. Hence this was not caught in -current.

    The intention is to fix ipftest(8) as it is used by the netbsd-tests
    (imported by ngie@ many moons ago) for regression testing.

Changes:
_U  stable/10/
  stable/10/sys/contrib/ipfilter/netinet/fil.c
  stable/10/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/10/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
_U  stable/11/
  stable/11/sys/contrib/ipfilter/netinet/fil.c
  stable/11/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c