this is used for return-rst for example. not surprisingly just works here. Index: net/pf.c =================================================================== RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.866 diff -u -p -r1.866 pf.c --- net/pf.c 23 Jan 2014 23:51:29 -0000 1.866 +++ net/pf.c 24 Jan 2014 06:03:35 -0000 @@ -2375,15 +2375,21 @@ pf_send_tcp(const struct pf_rule *r, sa_ m->m_data += max_linkhdr; m->m_pkthdr.len = m->m_len = len; m->m_pkthdr.rcvif = NULL; + m->m_pkthdr.csum_flags |= M_TCP_CSUM_OUT; bzero(m->m_data, len); switch (af) { #ifdef INET case AF_INET: h = mtod(m, struct ip *); - - /* IP header fields included in the TCP checksum */ h->ip_p = IPPROTO_TCP; h->ip_len = htons(tlen); + h->ip_v = 4; + h->ip_hl = sizeof(*h) >> 2; + h->ip_tos = IPTOS_LOWDELAY; + h->ip_len = htons(len); + h->ip_off = htons(ip_mtudisc ? IP_DF : 0); + h->ip_ttl = ttl ? ttl : ip_defttl; + h->ip_sum = 0; h->ip_src.s_addr = saddr->v4.s_addr; h->ip_dst.s_addr = daddr->v4.s_addr; @@ -2393,10 +2399,10 @@ pf_send_tcp(const struct pf_rule *r, sa_ #ifdef INET6 case AF_INET6: h6 = mtod(m, struct ip6_hdr *); - - /* IP header fields included in the TCP checksum */ h6->ip6_nxt = IPPROTO_TCP; h6->ip6_plen = htons(tlen); + h6->ip6_vfc |= IPV6_VERSION; + h6->ip6_hlim = IPV6_DEFHLIM; memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); @@ -2425,17 +2431,6 @@ pf_send_tcp(const struct pf_rule *r, sa_ switch (af) { #ifdef INET case AF_INET: - /* TCP checksum */ - th->th_sum = in_cksum(m, len); - - /* Finish the IP header */ - h->ip_v = 4; - h->ip_hl = sizeof(*h) >> 2; - h->ip_tos = IPTOS_LOWDELAY; - h->ip_len = htons(len); - h->ip_off = htons(ip_mtudisc ? IP_DF : 0); - h->ip_ttl = ttl ? ttl : ip_defttl; - h->ip_sum = 0; if (eh == NULL) { ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, (void *)NULL); @@ -2462,13 +2457,6 @@ pf_send_tcp(const struct pf_rule *r, sa_ #endif /* INET */ #ifdef INET6 case AF_INET6: - /* TCP checksum */ - th->th_sum = in6_cksum(m, IPPROTO_TCP, - sizeof(struct ip6_hdr), tlen); - - h6->ip6_vfc |= IPV6_VERSION; - h6->ip6_hlim = IPV6_DEFHLIM; - ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); break; #endif /* INET6 */
-- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/