Hi,
When sending IP packets to userland with divert-packet rules, the
checksum may be wrong. Locally generated packets diverted by pf
out rules may have no checksum due to to hardware offloading.
IDS/IPS systems may complain about that.
Calculate the checksum in that case.
ok?
bluhm
Index: netinet/ip_divert.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_divert.c,v
retrieving revision 1.89
diff -u -p -r1.89 ip_divert.c
--- netinet/ip_divert.c 17 Oct 2022 14:49:02 -0000 1.89
+++ netinet/ip_divert.c 3 Apr 2023 19:18:59 -0000
@@ -190,6 +190,8 @@ divert_packet(struct mbuf *m, int dir, u
struct inpcb *inp = NULL;
struct socket *so;
struct sockaddr_in sin;
+ struct ip *ip;
+ int off;
divstat_inc(divs_ipackets);
@@ -232,6 +234,17 @@ divert_packet(struct mbuf *m, int dir, u
break;
}
if_put(ifp);
+ } else {
+ /*
+ * Calculate IP and protocol checksums for outbound packet
+ * diverted to userland. pf rule diverts before cksum offload.
+ */
+ ip = mtod(m, struct ip *);
+ off = ip->ip_hl << 2;
+
+ ip->ip_sum = 0;
+ ip->ip_sum = in_cksum(m, off);
+ in_proto_cksum_out(m, NULL);
}
mtx_enter(&inp->inp_mtx);
Index: netinet6/ip6_divert.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_divert.c,v
retrieving revision 1.88
diff -u -p -r1.88 ip6_divert.c
--- netinet6/ip6_divert.c 17 Oct 2022 14:49:02 -0000 1.88
+++ netinet6/ip6_divert.c 3 Apr 2023 19:19:06 -0000
@@ -238,6 +238,12 @@ divert6_packet(struct mbuf *m, int dir,
break;
}
if_put(ifp);
+ } else {
+ /*
+ * Calculate protocol checksum for outbound packet diverted
+ * to userland. pf out rule diverts before cksum offload.
+ */
+ in6_proto_cksum_out(m, NULL);
}
mtx_enter(&inp->inp_mtx);
