SEO

See http://www.freebsd.org/cgi/query-pr.cgi?pr=93849 for background.

Max' patch is correct, but there are other modifications which also
require checksum fixing, unless I'm mistaken.

I suggest the patch below. Proof-reading and testing welcome

Daniel


Index: pf_norm.c
================================================== =================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.104
diff -u -r1.104 pf_norm.c
--- pf_norm.c 18 Jan 2006 22:03:21 -0000 1.104
+++ pf_norm.c 8 Mar 2006 16:27:57 -0000
@@ -864,8 +864,12 @@
goto drop;

/* Clear IP_DF if the rule uses the no-df option */
- if (r->rule_flag & PFRULE_NODF)
+ if (r->rule_flag & PFRULE_NODF && h->ip_off & htons(IP_DF)) {
+ u_int16_t ip_off = h->ip_off;
+
h->ip_off &= htons(~IP_DF);
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0);
+ }

/* We will need other tests here */
if (!fragoff && !mff)
@@ -968,11 +972,20 @@

no_fragment:
/* At this point, only IP_DF is allowed in ip_off */
- h->ip_off &= htons(IP_DF);
+ if (h->ip_off & ~htons(IP_DF)) {
+ u_int16_t ip_off = h->ip_off;
+
+ h->ip_off &= htons(IP_DF);
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0);
+ }

/* Enforce a minimum ttl, may cause endless packet loops */
- if (r->min_ttl && h->ip_ttl < r->min_ttl)
+ if (r->min_ttl && h->ip_ttl < r->min_ttl) {
+ u_int16_t ip_ttl = h->ip_ttl;
+
h->ip_ttl = r->min_ttl;
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0);
+ }

if (r->rule_flag & PFRULE_RANDOMID) {
u_int16_t ip_id = h->ip_id;
@@ -987,8 +1000,12 @@

fragment_pass:
/* Enforce a minimum ttl, may cause endless packet loops */
- if (r->min_ttl && h->ip_ttl < r->min_ttl)
+ if (r->min_ttl && h->ip_ttl < r->min_ttl) {
+ u_int16_t ip_ttl = h->ip_ttl;
+
h->ip_ttl = r->min_ttl;
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0);
+ }
if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0)
pd->flags |= PFDESC_IP_REAS;
return (PF_PASS);