Hi,

When pf modifies a TCP packet, it sets the M_TCP_CSUM_OUT flag in
the mbuf packet header.  If the packet is later dropped in
ip6_forward(), the TCP mbuf is copied and passed to icmp6_error().
The inherited M_TCP_CSUM_OUT flag generates ICMP6 packets with
incorrect checksum.  So reset the csum_flags when packets are
generated by icmp6_reflect() or icmp6_redirect_output().

ok?

bluhm

Index: netinet6/icmp6.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/icmp6.c,v
retrieving revision 1.167
diff -u -p -r1.167 icmp6.c
--- netinet6/icmp6.c    11 Sep 2015 08:17:06 -0000      1.167
+++ netinet6/icmp6.c    11 Sep 2015 10:51:11 -0000
@@ -1283,7 +1283,7 @@ icmp6_reflect(struct mbuf *m, size_t off
                ip6->ip6_hlim = ip6_defhlim;
 
        icmp6->icmp6_cksum = 0;
-       m->m_pkthdr.csum_flags |= M_ICMP_CSUM_OUT;
+       m->m_pkthdr.csum_flags = M_ICMP_CSUM_OUT;
 
        /*
         * XXX option handling
@@ -1786,7 +1786,7 @@ noredhdropt:
        ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
 
        nd_rd->nd_rd_cksum = 0;
-       m->m_pkthdr.csum_flags |= M_ICMP_CSUM_OUT;
+       m->m_pkthdr.csum_flags = M_ICMP_CSUM_OUT;
 
        /* send the packet to outside... */
        ip6_output(m, NULL, NULL, 0, NULL, NULL);

Reply via email to