Re: vtnet rxcsum broken for forwarding RELENG_13 ?

Tue, 12 Apr 2022 12:49:28 -0700 


On 12 Apr 2022, at 21:40, Charles Sprickman wrote:


On Apr 12, 2022, at 6:43 AM, Kristof Provost <k...@freebsd.org> wrote:

On 12 Apr 2022, at 2:07, Matt Garber wrote:

On Mon, Apr 11, 2022 at 7:15 PM mike tancsa <m...@sentex.net> wrote:


I was setting up a VM pf firewall and noticed I was not able to nat 
out

for some reason. Looking at the pcap, it seems when the vm is in
forwarding mode, I get tcp checksum errors. If I do a

ifconfig vtnet1 -rxcsum

ifconfig vtnet0 -rxcsum

nat then seems to work fine


The setup is a simple VM with the hypervisor libvirt/KVM ubuntu 20 
LTS.
Guest is RELENG_13 from Apr 11/2022. If I change to em nics in the 
VM,

all is fine out of the box.



I opened up 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263229





Unless someone knows otherwise, I’ve been under the impression 
that PF — or
potentially any of the other FreeBSD firewalls (?), but I use PF — 
has been
“broken” in that regard on Linux KVM-based FreeBSD guests for 
years. As
such I’ve always needed to use csum_disable flags on the vtnet 
interfaces
or suffer *extremely* poor network performance, even for servers not 
doing

NAT forwarding.


That PF checksum issue was fixed 
c110fc49da2995d10d60d908af0838ecb4be9bee, back in 2015.


Do you have a bug ID that references this issue/fix?


        commit c110fc49da2995d10d60d908af0838ecb4be9bee
        Author: Kristof Provost <k...@freebsd.org>
        Date:   Wed Oct 14 16:21:41 2015 +0000

            pf: Fix TSO issues


	    In certain configurations (mostly but not exclusively as a VM on 
Xen) pf

            produced packets with an invalid TCP checksum.


	    The problem was that pf could only handle packets with a full 
checksum. The
	    FreeBSD IP stack produces TCP packets with a pseudo-header checksum 
(only

            addresses, length and protocol).

	    Certain network interfaces expect to see the pseudo-header 
checksum, so they

            end up producing packets with invalid checksums.


	    To fix this stop calculating the full checksum and teach pf to only 
update TCP
	    checksums if TSO is disabled or the change affects the 
pseudo-header checksum.


            PR:             154428, 193579, 198868
            Reviewed by:    sbruno
            MFC after:      1 week
            Relnotes:       yes
            Sponsored by:   RootBSD
            Differential Revision:  https://reviews.freebsd.org/D3779

Kristof





















					Reply via email to