Hi, On its receive path, wg(4) uses the same mbuf for both the encrypted capsule and its encapsulated packet, which it passes up to the stack. We must therefore clear this mbuf's checksum status flags, as although the capsule may have been subject to hardware offload, its encapsulated packet was not.
This ensures that the transport checksums of packets bound for local delivery are verified. That is necessary because, although the tunnel provides stronger integrity checks, the tunnel endpoints and the transport endpoints needn't coincide. However, as the network and tunnel endpoints _do_ conincide, it remains unncessary to check the per-hop IPv4 checksum. ok? Index: net/if_wg.c =================================================================== RCS file: /cvs/src/sys/net/if_wg.c,v retrieving revision 1.7 diff -u -p -u -p -r1.7 if_wg.c --- net/if_wg.c 23 Jun 2020 10:03:49 -0000 1.7 +++ net/if_wg.c 27 Jun 2020 02:48:37 -0000 @@ -1660,14 +1660,10 @@ wg_decap(struct wg_softc *sc, struct mbu goto error; } - /* - * We can mark incoming packet csum OK. We mark all flags OK - * irrespective to the packet type. - */ - m->m_pkthdr.csum_flags |= (M_IPV4_CSUM_IN_OK | M_TCP_CSUM_IN_OK | - M_UDP_CSUM_IN_OK | M_ICMP_CSUM_IN_OK); - m->m_pkthdr.csum_flags &= ~(M_IPV4_CSUM_IN_BAD | M_TCP_CSUM_IN_BAD | - M_UDP_CSUM_IN_BAD | M_ICMP_CSUM_IN_BAD); + /* tunneled packet was not offloaded */ + m->m_pkthdr.csum_flags = 0; + /* optimise: the tunnel provided a stronger integrity check */ + m->m_pkthdr.csum_flags |= M_IPV4_CSUM_IN_OK; m->m_pkthdr.ph_ifidx = sc->sc_if.if_index; m->m_pkthdr.ph_rtableid = sc->sc_if.if_rdomain;