pf: Fix IPv6 checksums with route-to.

When using route-to (or reply-to) pf sends the packet directly to the output
interface. If that interface doesn't support checksum offloading the checksum
has to be calculated in software.
That was already done in the IPv4 case, but not for the IPv6 case. As a result
we'd emit packets with pseudo-header checksums (i.e. incorrect checksums).

This issue was exposed by the changes in r289316 when pf stopped performing full
checksum calculations for all packets.

Submitted by:	Luoqi Chen
MFC after:	1 week

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 792782b392b20a2da8dd146d448e609ef4afc09e..1dfc37dd04f31933ec77a8f02ea0ca459729f344 100644 (file)
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5574,6 +5574,13 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
        if (ifp->if_flags & IFF_LOOPBACK)
                m0->m_flags |= M_SKIP_FIREWALL;
 
+       if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
+           ~ifp->if_hwassist) {
+               uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6);
+               in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr));
+               m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+       }
+
        /*
         * If the packet is too large for the outgoing interface,
         * send back an icmp6 error.