On 07/26/15 06:16, Kristof Provost wrote:
> On 2015-07-15 00:54:25 (-0700), Colin Percival <cperc...@freebsd.org> wrote:
>> In my tests, deleting these lines from pf_ioctl.c
>> 3570 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
>> [...]
>> unbreaks pf+TSO on EC2 instances.  I'm not entirely sure why these lines
>> are there in the first place, which is why I didn't want to simply go in
>> and remove them -- but it may be that wrapping those lines in something
>> like "if ((csum_flags & CSUM_TSO) == 0)" would solve the problem without
>> breaking anything else.
> I think the reason for this checksum calculation is that pf sometimes
> modifies the packet, so it also updates the checksum.

Aha, this is exactly the sort of thing I was worried about.  I'm glad you
understand this stuff better than me.

> It doesn't work on Xen TSO interfaces because (I assume) it expects to
> get the pseudo header checksum, not the full checksum.
> It's not entirely clear to my why it's not broken on my hardware (which
> claims TSO support), but perhaps Xen is more picky than actual hardware.

I'm not 100% certain about this, but I don't think Xen is doing anything
with the checksum; rather, everything is being passed through to the
underlying hardware, and some NICs are pickier than others.

I'll refrain from commenting on your plans for fixing this since, as I
mentioned above, you understand how pf and the network stack work far better
than I do. :-)

Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
freebsd-xen@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-xen-unsubscr...@freebsd.org"

Reply via email to