On 07/26/15 06:16, Kristof Provost wrote: > On 2015-07-15 00:54:25 (-0700), Colin Percival <[email protected]> wrote: >> In my tests, deleting these lines from pf_ioctl.c >> 3570 /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */ >> [...] >> unbreaks pf+TSO on EC2 instances. I'm not entirely sure why these lines >> are there in the first place, which is why I didn't want to simply go in >> and remove them -- but it may be that wrapping those lines in something >> like "if ((csum_flags & CSUM_TSO) == 0)" would solve the problem without >> breaking anything else. > > I think the reason for this checksum calculation is that pf sometimes > modifies the packet, so it also updates the checksum.
Aha, this is exactly the sort of thing I was worried about. I'm glad you understand this stuff better than me. > It doesn't work on Xen TSO interfaces because (I assume) it expects to > get the pseudo header checksum, not the full checksum. > It's not entirely clear to my why it's not broken on my hardware (which > claims TSO support), but perhaps Xen is more picky than actual hardware. I'm not 100% certain about this, but I don't think Xen is doing anything with the checksum; rather, everything is being passed through to the underlying hardware, and some NICs are pickier than others. I'll refrain from commenting on your plans for fixing this since, as I mentioned above, you understand how pf and the network stack work far better than I do. :-) -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-xen To unsubscribe, send any mail to "[email protected]"
