From nobody@FreeBSD.org  Thu Dec  7 09:03:50 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C892816A500
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  7 Dec 2006 09:03:50 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A464143CB7
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  7 Dec 2006 09:02:56 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kB793kU9055367
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 7 Dec 2006 09:03:46 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id kB793kPV055366;
	Thu, 7 Dec 2006 09:03:46 GMT
	(envelope-from nobody)
Message-Id: <200612070903.kB793kPV055366@www.freebsd.org>
Date: Thu, 7 Dec 2006 09:03:46 GMT
From: Manuel Schiller<mala@hinterbergen.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
X-Send-Pr-Version: www-3.0

>Number:         106438
>Category:       kern
>Synopsis:       [ipf] ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    fjoe
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 07 09:10:07 GMT 2006
>Closed-Date:    Thu Oct 04 09:57:54 UTC 2012
>Last-Modified:  Thu Oct  4 10:00:28 UTC 2012
>Originator:     Manuel Schiller
>Release:        RELENG6_1, STABLE (both tested this week)
>Organization:
>Environment:
(sorry, not connected to the net)
GENERIC kernel (no tweaks whatsoever), Sun Ultra1 machine (sparc64 platform)
>Description:
During the process of moving my router/firewall setup to a new machine (the old one died), I saw that ipfilter seems to do something strange to my packets (when I disable it, the problem disappears, but that's not an option for a firewall :)

My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening):

pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state
pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state
block out quick on hme3

block in quick on hme3

On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g.

dig @192.168.x.y www.freebsd.org

would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so.

I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using

rm -fr /usr/obj/*
cd /usr/src
make buildworld
make buildkernel
make installkernel
mergemaster -p
make installworld
mergemaster

CFLAGS have been "-O", I have removed the "-pipe" for some reason I forgot. The machine has been used elsewhere in the past, and it always ran rock solid for weeks under full load compiling stuff without ever crashing.

Any hints, ideas or things to test would be greatly appreciated. I intend to look into the kernel sources next weekend (I suspect it's some kind of bug that does not trigger on the more common platforms because I suspect strongly that someone would have noticed it already and I didn't find any hint of that in the mailing lists, problem reports and google), but I'm not too confident when it comes to spotting what's going wrong there. If I missed something obvious, I'd appreciate a pointer. (And I'd be very sorry for the inconvenience.)

Manuel


P.S. I'm sorry that I couldn't offer you a PR done with send-pr on the offending machine, but it's not in a state fit to send e-mails at the moment, so I have to do this from work...
>How-To-Repeat:
ipf -Fa -f /etc/ipf.rules (with appropriate rule file)
dig @(some-name-server reachable without ipf) www.somesite.whatever
>Fix:

>Release-Note:
>Audit-Trail:

From: Remko Lodder <remko@elvandar.org>
To: Manuel Schiller <mala@hinterbergen.de>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
Date: Thu, 7 Dec 2006 10:16:19 +0100

 Hello,
 
 
 > My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening):
 > 
 > pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state
 > pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state
 > block out quick on hme3
 > 
 > block in quick on hme3
 > 
 > On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g.
 > 
 > dig @192.168.x.y www.freebsd.org
 > 
 > would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so.
 > 
 > I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using
 > 
 
 	First of all thanks for using FreeBSD!
 
 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 	of hits on the rule)
 
 	Thanks in advance
 
 -- 
 Kind regards,
 
      Remko Lodder               ** remko@elvandar.org
      FreeBSD                    ** remko@FreeBSD.org
 
      /* Quis custodiet ipsos custodes */

From: Manuel Tobias Schiller <mala@hinterbergen.de>
To: Remko Lodder <remko@elvandar.org>
Cc:  
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
Date: Thu, 7 Dec 2006 11:51:26 +0100

 Hello,
 
 thanks for the quick reply.
 
 On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 > Hello,
 > 
 > 
 > > My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening):
 > > 
 > > pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state
 > > pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state
 > > block out quick on hme3
 > > 
 > > block in quick on hme3
 > > 
 > > On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g.
 > > 
 > > dig @192.168.x.y www.freebsd.org
 > > 
 > > would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so.
 > > 
 > > I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using
 > > 
 > 
 > 	First of all thanks for using FreeBSD!
 
 Thanks for making a fine OS which has not let me down for quite some time.
 (Had the old machine's hardware not died, I would still be perfectly happy
 with it ;)
 In fact, using FreeBSD makes it much less of a pain to set up a decent
 server/router/firewall than most other OSs that I've seen (if you prefer
 to know what happens on your machine - if you don't care, most Linux
 distros are probably ok as well ;).
 
 > 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 > 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 > 	of hits on the rule)
 
 I'll do that tonight and let you know what happens. (I've had a look at the
 output of ipfstat, but I don't remember what ipmon logs right now.).
 However, from what I remember, the ipfstat shows that the pass rule for
 udp domain packets triggers and packets out pass, on the way in the block
 rule in the inbound section triggers and blocks the replies. I only have
 the three rules I mentioned above on the interface in question.
  
 > 	Thanks in advance
 
 What for? I have asked for help. ;) So thanks for providing a start.
 
 > -- 
 > Kind regards,
 > 
 >      Remko Lodder               ** remko@elvandar.org
 >      FreeBSD                    ** remko@FreeBSD.org
 > 
 >      /* Quis custodiet ipsos custodes */
 > 
 
 Kind regards,
 
 Manuel Schiller
 
 -- 
 Homepage: http://www.hinterbergen.de/mala
 OpenPGP: 0xA330353E (DSA) or 0xD87D188C (RSA)

From: Manuel Tobias Schiller <mala@hinterbergen.de>
To: Remko Lodder <remko@elvandar.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
Date: Fri, 8 Dec 2006 09:38:33 +0100

 --d6Gm4EdcadzBjdND
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hello,
 
 I've gathered the information you have asked for, see the attachment.
 I hope it helps us to get an idea of what's going wrong. Any help with
 this would be appreciated.
 
 Thanks in advance.
 
 Manuel
 
 P.S. I did the | grep hme3 in the attachment to not clutter the output
 with irrelevant stuff. All other rules are bound to their respective
 interface (hme0, hme1, hme2, le0) and should not influence hme3.
 Besides, there's a lot of traffic going on on le0 which does not need to
 be mentioned in the ipfstat output because the machine in question is
 headless and can only be reached with a serial line (with a laptop down
 in the cellar) or a dedicated network interface (le0, for which I
 need to have rules that pass everything).
 
 On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 > Hello,
 > 
 > 
 > 	First of all thanks for using FreeBSD!
 > 
 > 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 > 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 > 	of hits on the rule)
 > 
 > 	Thanks in advance
 > 
 > -- 
 > Kind regards,
 > 
 >      Remko Lodder               ** remko@elvandar.org
 >      FreeBSD                    ** remko@FreeBSD.org
 > 
 >      /* Quis custodiet ipsos custodes */
 > 
 
 -- 
 Homepage: http://www.hinterbergen.de/mala
 OpenPGP: 0xA330353E (DSA) or 0xD87D188C (RSA)
 
 --d6Gm4EdcadzBjdND
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="moo.txt"
 
 192.168.x.x	FreeBSD machine having the problem
 192.168.x.y	dsl router running a caching dns server
 		(works fine without the firewall on the FreeBSD box, I use
 		this one for testing because I know its IP address by heart)
 
 none of these two addresses are equal to the broadcast or network address
 (I mention this here just to make sure you don't think I did something like this...)
 
 router# ipfstat -hion | grep hme3; echo; ipmon -Fva
 0 @14 pass out quick on hme3 proto tcp from 192.168.x.x/32 to any port = domain flags S/FSRPAU keep state
 602 @15 pass out quick on hme3 proto udp from any to any port = domain keep state
 45115 @16 block out log first on hme3 all
 31242 @33 block in log first on hme3 all
 
 0 bytes flushed from log buffer
 0 bytes flushed from log buffer
 352 bytes flushed from log buffer
 
 [ ran two dig commands on other console, look for STATE: NEW ]
 
 08/12/2006 07:20:05.509612 STATE:NEW 192.168.x.x,58286 -> 192.168.y.y,53 PR udp
 08/12/2006 07:20:10.264314 hme3 @0:33 b 192.168.y.y,3670 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:10.499382 hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 128 IN bad
 08/12/2006 07:20:11.264285 hme3 @0:33 b 192.168.y.y,3670 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:15.264215 hme3 @0:33 b 192.168.y.y,3671 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:15.500616 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58286 PR udp len 20 80 IN bad
 08/12/2006 07:20:16.264197 hme3 @0:33 b 192.168.y.y,3671 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:20.304953 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:20:30.304837 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:20:40.304459 hme3 @0:33 b 192.168.y.y,3672 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:41.087241 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58673 PR udp len 20 80 IN bad
 08/12/2006 07:20:41.304457 hme3 @0:33 b 192.168.y.y,3672 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:41.086611 STATE:NEW 192.168.x.x,58673 -> 192.168.y.y,53 PR udp
 08/12/2006 07:20:46.088779 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58673 PR udp len 20 80 IN bad
 08/12/2006 07:20:46.304633 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:20:51.090349 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58673 PR udp len 20 80 IN bad
 08/12/2006 07:20:56.304463 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:21:06.304335 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 ^C
 router# ipfstat -hion | grep hme3
 0 @14 pass out quick on hme3 proto tcp from 192.168.x.x/32 to any port = domain flags S/FSRPAU keep state
 604 @15 pass out quick on hme3 proto udp from any to any port = domain keep state
 45115 @16 block out log first on hme3 all
 31297 @33 block in log first on hme3 all
 router#
 
 --d6Gm4EdcadzBjdND--
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Nov 30 19:03:15 UTC 2007 
Responsible-Changed-Why:  
Reassign to -net, this seems like a problem with the hme driver 
I can reproduce this on 8-CURRENT on my sparc64, after issueing 
a ifconfig hme0 -rxcsum and -txcsum the problem vanished and 
I could connect again (ipfilter stopped the packets since they 
had bad data included). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106438 

From: Remko Lodder <remko@elvandar.org>
To: Manuel Tobias Schiller <mala@hinterbergen.de>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies
 in on spar64 (and maybe others)
Date: Fri, 30 Nov 2007 20:03:31 +0100

 Manuel Tobias Schiller wrote:
 > Hello,
 > 
 > I've gathered the information you have asked for, see the attachment.
 > I hope it helps us to get an idea of what's going wrong. Any help with
 > this would be appreciated.
 > 
 > Thanks in advance.
 > 
 > Manuel
 > 
 > P.S. I did the | grep hme3 in the attachment to not clutter the output
 > with irrelevant stuff. All other rules are bound to their respective
 > interface (hme0, hme1, hme2, le0) and should not influence hme3.
 > Besides, there's a lot of traffic going on on le0 which does not need to
 > be mentioned in the ipfstat output because the machine in question is
 > headless and can only be reached with a serial line (with a laptop down
 > in the cellar) or a dedicated network interface (le0, for which I
 > need to have rules that pass everything).
 > 
 > On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 >> Hello,
 >>
 >>
 >> 	First of all thanks for using FreeBSD!
 >>
 >> 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 >> 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 >> 	of hits on the rule)
 >>
 >> 	Thanks in advance
 >>
 >> -- 
 >> Kind regards,
 >>
 >>      Remko Lodder               ** remko@elvandar.org
 >>      FreeBSD                    ** remko@FreeBSD.org
 >>
 >>      /* Quis custodiet ipsos custodes */
 >>
 > 
 
 Dear Manuel,
 
 It took a lot of time for me to set this up properly, but I managed to
 work this out; actually this is not a ipfilter problem but it seems
 that hme0 is not capable of doing incoming and outgoing checksumming.
 
 I faced the same problem, and by issueing a ifconfig hme0 -txcsum
 -rxcsum I resolved the problem.
 
 The ipfilter errors vanished after that. I'll try to have a look at the
 intel gigabit card in the machine (manually added) and see whether that
 has a similiar issue..
 
 Cheers
 remko
 
 -- 
 /"\   Best regards,                      | remko@FreeBSD.org
 \ /   Remko Lodder                       | remko@EFnet
  X    http://www.evilcoder.org/          |
 / \   ASCII Ribbon Campaign              | Against HTML Mail and News

From: Manuel Tobias Schiller <mala@hinterbergen.de>
To: Remko Lodder <remko@elvandar.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow
 replies in on spar64 (and maybe others)
Date: Sat, 1 Dec 2007 11:11:00 +0100

 On Fri, 30 Nov 2007 20:03:31 +0100
 Remko Lodder <remko@elvandar.org> wrote:
 
 > Manuel Tobias Schiller wrote:
 > > Hello,
 > > 
 > > I've gathered the information you have asked for, see the
 > > attachment. I hope it helps us to get an idea of what's going
 > > wrong. Any help with this would be appreciated.
 > > 
 > > Thanks in advance.
 > > 
 > > Manuel
 > > 
 > > P.S. I did the | grep hme3 in the attachment to not clutter the
 > > output with irrelevant stuff. All other rules are bound to their
 > > respective interface (hme0, hme1, hme2, le0) and should not
 > > influence hme3. Besides, there's a lot of traffic going on on le0
 > > which does not need to be mentioned in the ipfstat output because
 > > the machine in question is headless and can only be reached with a
 > > serial line (with a laptop down in the cellar) or a dedicated
 > > network interface (le0, for which I need to have rules that pass
 > > everything).
 > > 
 > > On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 > >> Hello,
 > >>
 > >>
 > >> 	First of all thanks for using FreeBSD!
 > >>
 > >> 	If you run ipmon, what kind of details do you see in the
 > >> log? It mentions where it is blocked and you can review that rule
 > >> with ipfstat -hion (list everything in out, do not resolve and
 > >> show the amount of hits on the rule)
 > >>
 > >> 	Thanks in advance
 > >>
 > >> -- 
 > >> Kind regards,
 > >>
 > >>      Remko Lodder               ** remko@elvandar.org
 > >>      FreeBSD                    ** remko@FreeBSD.org
 > >>
 > >>      /* Quis custodiet ipsos custodes */
 > >>
 > > 
 > 
 > Dear Manuel,
 > 
 > It took a lot of time for me to set this up properly, but I managed to
 > work this out; actually this is not a ipfilter problem but it seems
 > that hme0 is not capable of doing incoming and outgoing checksumming.
 > 
 > I faced the same problem, and by issueing a ifconfig hme0 -txcsum
 > -rxcsum I resolved the problem.
 > 
 > The ipfilter errors vanished after that. I'll try to have a look at
 > the intel gigabit card in the machine (manually added) and see
 > whether that has a similiar issue..
 > 
 > Cheers
 > remko
 
 Dear Remko,
 
 it's great to hear from you again - I thought everybody had forgotten
 about this... Well, I have switched to pf in the meantime, as it's a
 production machine, but I may have time over christmas to test things
 out with ipfilter, as I like it very much. By the way, why did things
 work with hme and ipfilter in earlier FreeBSD versions? Did hme not have
 the checksumming feature at all or different defaults? This puzzles me a
 little, I must confess.
 
 Anyway, thanks a lot for your help!
 
 Cheers,
 
 Manuel
 
 -- 
 Homepage: http://www.hinterbergen.de/mala
 OpenPGP: 0xA330353E (DSA) or 0xD87D188C (RSA)

From: Remko Lodder <remko@elvandar.org>
To: Manuel Tobias Schiller <mala@hinterbergen.de>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies
 in on spar64 (and maybe others)
Date: Fri, 14 Dec 2007 22:01:11 +0100

 Manuel Tobias Schiller wrote:
 > On Fri, 30 Nov 2007 20:03:31 +0100
 > Remko Lodder <remko@elvandar.org> wrote:
 > 
 >> Manuel Tobias Schiller wrote:
 >>> Hello,
 >>>
 >>> I've gathered the information you have asked for, see the
 >>> attachment. I hope it helps us to get an idea of what's going
 >>> wrong. Any help with this would be appreciated.
 >>>
 >>> Thanks in advance.
 >>>
 >>> Manuel
 >>>
 >>> P.S. I did the | grep hme3 in the attachment to not clutter the
 >>> output with irrelevant stuff. All other rules are bound to their
 >>> respective interface (hme0, hme1, hme2, le0) and should not
 >>> influence hme3. Besides, there's a lot of traffic going on on le0
 >>> which does not need to be mentioned in the ipfstat output because
 >>> the machine in question is headless and can only be reached with a
 >>> serial line (with a laptop down in the cellar) or a dedicated
 >>> network interface (le0, for which I need to have rules that pass
 >>> everything).
 >>>
 >>> On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 >>>> Hello,
 >>>>
 >>>>
 >>>> 	First of all thanks for using FreeBSD!
 >>>>
 >>>> 	If you run ipmon, what kind of details do you see in the
 >>>> log? It mentions where it is blocked and you can review that rule
 >>>> with ipfstat -hion (list everything in out, do not resolve and
 >>>> show the amount of hits on the rule)
 >>>>
 >>>> 	Thanks in advance
 >>>>
 >>>> -- 
 >>>> Kind regards,
 >>>>
 >>>>      Remko Lodder               ** remko@elvandar.org
 >>>>      FreeBSD                    ** remko@FreeBSD.org
 >>>>
 >>>>      /* Quis custodiet ipsos custodes */
 >>>>
 >> Dear Manuel,
 >>
 >> It took a lot of time for me to set this up properly, but I managed to
 >> work this out; actually this is not a ipfilter problem but it seems
 >> that hme0 is not capable of doing incoming and outgoing checksumming.
 >>
 >> I faced the same problem, and by issueing a ifconfig hme0 -txcsum
 >> -rxcsum I resolved the problem.
 >>
 >> The ipfilter errors vanished after that. I'll try to have a look at
 >> the intel gigabit card in the machine (manually added) and see
 >> whether that has a similiar issue..
 >>
 >> Cheers
 >> remko
 > 
 > Dear Remko,
 > 
 > it's great to hear from you again - I thought everybody had forgotten
 > about this... Well, I have switched to pf in the meantime, as it's a
 > production machine, but I may have time over christmas to test things
 > out with ipfilter, as I like it very much. By the way, why did things
 > work with hme and ipfilter in earlier FreeBSD versions? Did hme not have
 > the checksumming feature at all or different defaults? This puzzles me a
 > little, I must confess.
 > 
 > Anyway, thanks a lot for your help!
 > 
 > Cheers,
 > 
 > Manuel
 > 
 
 Hello Manuel,
 
 Yes my fault, I reproduced this today with pf enabled, hme just works
 fine with that, so I was wrong :-)
 
 it's ipfilter that is messing up here...
 
 -- 
 /"\   Best regards,                      | remko@FreeBSD.org
 \ /   Remko Lodder                       | remko@EFnet
  X    http://www.evilcoder.org/          |
 / \   ASCII Ribbon Campaign              | Against HTML Mail and News
Responsible-Changed-From-To: freebsd-net->darrenr 
Responsible-Changed-By: remko 
Responsible-Changed-When: Sat Dec 15 19:54:29 UTC 2007 
Responsible-Changed-Why:  
Hi Darren, this seems to be closely related to IPfilter, can you please have a look? 
When hardware checksumming had been disabled; this problem does not appear when the 
checksumming is enabled no packets are being allowed (as mentioned in the ticket); 
I can succesfully reproduce the problem, if you need additional help let me know! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106438 

From: =?iso-8859-1?Q?=22Stefan_Kr=FCger=22?= <stadtkind2@gmx.de>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/106438: [ipf] ipfilter: keep state does not seem to allow
 replies in on spar64 (and maybe others)
Date: Wed, 07 Jan 2009 09:16:57 +0100

 I can confirm that ipf's keep state still doesn't work on FreeBSD 7.1-RELEASE :(
 
 Machine used for testing was a Sun Fire v120 (i.e. sparc64),
 NIC was Sun Eri (= gem driver)
 -- 
 Sensationsangebot verlngert: GMX FreeDSL - Telefonanschluss + DSL 
 fr nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a

From: Mark Abene <phiber@phiber.com>
To: bug-followup@FreeBSD.org, mala@hinterbergen.de
Cc:  
Subject: Re: kern/106438: [ipf] ipfilter: keep state does not seem to allow
 replies in on spar64 (and maybe others)
Date: Sun, 06 Dec 2009 20:26:25 -0500

 It's been several years since this was first reported, and I can confirm
 that it's still a problem in FreeBSD 8.0-RELEASE on i386 with an fxp
 interface.  I just wasted nearly two days trying to figure out why our
 ipfilter rules which have been in use for years on our firewall suddenly
 locked the machine out when we upgraded from a rather old version of
 FreeBSD to 8.0-RELEASE.
 
 Same exact problem, same exact symptoms.  Disabling checksumming on the
 interface resolved the problem completely, otherwise ipfilter was rather
 broken.  I'm really glad I found this bug report, though not soon
 enough.  This is a rather serious problem.
 
 -Mark

From: Pyun YongHyeon <pyunyh@gmail.com>
To: Mark Abene <phiber@phiber.com>
Cc: freebsd-net@freebsd.org, bug-followup@FreeBSD.org, darren@FreeBSD.org
Subject: Re: kern/106438: [ipf] ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
Date: Mon, 7 Dec 2009 10:37:13 -0800

 --C7zPtVaVf+AK4Oqc
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Mon, Dec 07, 2009 at 01:40:04AM +0000, Mark Abene wrote:
 > The following reply was made to PR kern/106438; it has been noted by GNATS.
 > 
 > From: Mark Abene <phiber@phiber.com>
 > To: bug-followup@FreeBSD.org, mala@hinterbergen.de
 > Cc:  
 > Subject: Re: kern/106438: [ipf] ipfilter: keep state does not seem to allow
 >  replies in on spar64 (and maybe others)
 > Date: Sun, 06 Dec 2009 20:26:25 -0500
 > 
 >  It's been several years since this was first reported, and I can confirm
 >  that it's still a problem in FreeBSD 8.0-RELEASE on i386 with an fxp
 >  interface.  I just wasted nearly two days trying to figure out why our
 >  ipfilter rules which have been in use for years on our firewall suddenly
 >  locked the machine out when we upgraded from a rather old version of
 >  FreeBSD to 8.0-RELEASE.
 >  
 >  Same exact problem, same exact symptoms.  Disabling checksumming on the
 >  interface resolved the problem completely, otherwise ipfilter was rather
 >  broken.  I'm really glad I found this bug report, though not soon
 >  enough.  This is a rather serious problem.
 >  
 
 I think the bug is in ipfilter's checksum computation. Unlike other
 operating systems, FreeBSD also supports cheap controllers that lacks
 pseudo checksum operation. These controllers just compute partial
 checksum without pseudo header and drivers(fxp(4), hme(4) and gem(4))
 that take advantage of this feature insert a tag which indicates
 pseudo checksum is required in upper stack. The checksum computation
 code in ipfilter didn't account for IP header length so it always
 computed checksum wrong.
 I guess the following patch may fix the issue. The patch is not
 tested and wouldn't be complete as it assumes IPv4. However no other
 driver in tree set CSUM_DATA_VALID without CSUM_PSEUDO_HDR for IPv6
 at this moment.
 
 Darren, would you review the patch? Because ipfilter lives in
 contrib I think it should go upstream first.
 
 >  -Mark
 
 --C7zPtVaVf+AK4Oqc
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="ipfilter.csum.patch"
 
 Index: sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
 ===================================================================
 --- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	(revision 200222)
 +++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	(working copy)
 @@ -1357,7 +1357,9 @@
  		else
  			sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
  					htonl(m->m_pkthdr.csum_data +
 -					fin->fin_ip->ip_len + fin->fin_p));
 +					fin->fin_ip->ip_len -
 +					(fin->fin_ip->ip_hl << 2) +
 +					fin->fin_p));
  		sum ^= 0xffff;
  		if (sum != 0) {
  			fin->fin_flx |= FI_BAD;
 
 --C7zPtVaVf+AK4Oqc--
State-Changed-From-To: open->patched 
State-Changed-By: fjoe 
State-Changed-When: Thu Sep 27 18:15:10 UTC 2012 
State-Changed-Why:  
The fix is in upstream CVS (including v4-1-RELEASE branch): 
http://ipfilter.cvs.sourceforge.net/viewvc/ipfilter/ipfilter/ip_fil_freebsd.c?r1=1.1.3.1.2.24&r2=1.1.3.1.2.25&pathrev=v4-1-RELEASE 

Committed to head. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106438 
Responsible-Changed-From-To: freebsd-net->fjoe 
Responsible-Changed-By: fjoe 
Responsible-Changed-When: Thu Sep 27 18:16:48 UTC 2012 
Responsible-Changed-Why:  
I take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106438 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/106438: commit references a PR
Date: Thu, 27 Sep 2012 18:15:17 +0000 (UTC)

 Author: fjoe
 Date: Thu Sep 27 18:15:01 2012
 New Revision: 241002
 URL: http://svn.freebsd.org/changeset/base/241002
 
 Log:
   Fix pseudo checksum calculation.
   
   This fixes ipfilter w/ network controllers that implement only
   partial rx csum offloading.
   
   PR:			106438
   Obtained from:		upstream
   MFC after:		1 week
 
 Modified:
   head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
 
 Modified: head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
 ==============================================================================
 --- head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Thu Sep 27 17:48:04 2012	(r241001)
 +++ head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Thu Sep 27 18:15:01 2012	(r241002)
 @@ -1357,7 +1357,9 @@ fr_info_t *fin;
  		else
  			sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
  					htonl(m->m_pkthdr.csum_data +
 -					fin->fin_ip->ip_len + fin->fin_p));
 +					fin->fin_ip->ip_len -
 +					(fin->fin_ip->ip_hl << 2) +
 +					fin->fin_p));
  		sum ^= 0xffff;
  		if (sum != 0) {
  			fin->fin_flx |= FI_BAD;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: fjoe 
State-Changed-When: Thu Oct 4 09:57:17 UTC 2012 
State-Changed-Why:  
The fix merged to stable/9 branch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106438 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/106438: commit references a PR
Date: Thu,  4 Oct 2012 09:50:18 +0000 (UTC)

 Author: fjoe
 Date: Thu Oct  4 09:49:53 2012
 New Revision: 241192
 URL: http://svn.freebsd.org/changeset/base/241192
 
 Log:
   MFC: r241002
   
   Fix pseudo checksum calculation.
   
   This fixes ipfilter w/ network controllers that implement only
   partial rx csum offloading.
   
   PR:		106438
   Obtained from:	upstream
 
 Modified:
   stable/9/Makefile.inc1
   stable/9/gnu/usr.bin/gdb/Makefile.inc
   stable/9/gnu/usr.bin/gdb/arch/amd64/Makefile
   stable/9/gnu/usr.bin/gdb/arch/amd64/init.c
   stable/9/gnu/usr.bin/gdb/arch/arm/Makefile
   stable/9/gnu/usr.bin/gdb/arch/arm/init.c
   stable/9/gnu/usr.bin/gdb/arch/i386/Makefile
   stable/9/gnu/usr.bin/gdb/arch/i386/init.c
   stable/9/gnu/usr.bin/gdb/arch/ia64/Makefile
   stable/9/gnu/usr.bin/gdb/arch/ia64/init.c
   stable/9/gnu/usr.bin/gdb/arch/mips/Makefile
   stable/9/gnu/usr.bin/gdb/arch/mips/init.c
   stable/9/gnu/usr.bin/gdb/arch/powerpc/Makefile
   stable/9/gnu/usr.bin/gdb/arch/powerpc/init.c
   stable/9/gnu/usr.bin/gdb/arch/powerpc64/Makefile
   stable/9/gnu/usr.bin/gdb/arch/powerpc64/init.c
   stable/9/kerberos5/usr.bin/kadmin/Makefile
   stable/9/kerberos5/usr.sbin/ktutil/Makefile
   stable/9/rescue/rescue/Makefile
   stable/9/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
   stable/9/sys/fs/ext2fs/ext2_bmap.c
   stable/9/sys/fs/ext2fs/ext2_extern.h
   stable/9/sys/fs/ext2fs/ext2_vnops.c
   stable/9/usr.bin/grep/util.c
 Directory Properties:
   stable/9/   (props changed)
   stable/9/sys/   (props changed)
 
 Modified: stable/9/Makefile.inc1
 ==============================================================================
 --- stable/9/Makefile.inc1	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/Makefile.inc1	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -172,7 +172,11 @@ OBJTREE=	${MAKEOBJDIRPREFIX}/${TARGET}.$
  .endif
  WORLDTMP=	${OBJTREE}${.CURDIR}/tmp
  # /usr/games added for fortune which depend on strfile
 +.if defined(NO_WORLDTMP)
 +BPATH=		${PATH}
 +.else
  BPATH=		${WORLDTMP}/legacy/usr/sbin:${WORLDTMP}/legacy/usr/bin:${WORLDTMP}/legacy/usr/games
 +.endif
  XPATH=		${WORLDTMP}/usr/sbin:${WORLDTMP}/usr/bin:${WORLDTMP}/usr/games
  STRICTTMPPATH=	${BPATH}:${XPATH}
  TMPPATH=	${STRICTTMPPATH}:${PATH}
 
 Modified: stable/9/gnu/usr.bin/gdb/Makefile.inc
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/Makefile.inc	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/Makefile.inc	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -45,6 +45,7 @@ CFLAGS+= -I${CNTRB_GDB}/gdb/config
  CFLAGS+= -I${CNTRB_BU}/include
  CFLAGS+= -I${CNTRB_GDB}/include
  CFLAGS+= -I${CNTRB_BU}/bfd
 +DEBUG_FLAGS=	-g -O0
  
  GENSRCS+= nm.h tm.h
  
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/amd64/Makefile
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/amd64/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/amd64/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -5,7 +5,7 @@ GENSRCS+= xm.h
  LIBSRCS+= fbsd-proc.c fbsd-threads.c gcore.c
  LIBSRCS+= amd64-nat.c amd64bsd-nat.c amd64fbsd-nat.c
  .endif
 -LIBSRCS+= solib.c solib-svr4.c
 +LIBSRCS+= solib.c solib-svr4.c solib-legacy.c
  LIBSRCS+= amd64-tdep.c amd64fbsd-tdep.c i386-tdep.c i386bsd-tdep.c \
  	i386fbsd-tdep-fixed.c i387-tdep.c
  
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/amd64/init.c
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/amd64/init.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/amd64/init.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -12,6 +12,7 @@ extern initialize_file_ftype _initialize
  extern initialize_file_ftype _initialize_corelow;
  extern initialize_file_ftype _initialize_solib;
  extern initialize_file_ftype _initialize_svr4_solib;
 +extern initialize_file_ftype _initialize_svr4_lm;
  extern initialize_file_ftype _initialize_ser_hardwire;
  extern initialize_file_ftype _initialize_ser_pipe;
  extern initialize_file_ftype _initialize_ser_tcp;
 @@ -126,6 +127,7 @@ initialize_all_files (void)
    _initialize_corelow ();
    _initialize_solib ();
    _initialize_svr4_solib ();
 +  _initialize_svr4_lm ();
    _initialize_ser_hardwire ();
    _initialize_ser_pipe ();
    _initialize_ser_tcp ();
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/arm/Makefile
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/arm/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/arm/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -2,7 +2,7 @@
  
  GENSRCS+= xm.h
  LIBSRCS+= armfbsd-nat.c
 -LIBSRCS+= arm-tdep.c armfbsd-tdep.c solib.c solib-svr4.c
 +LIBSRCS+= arm-tdep.c armfbsd-tdep.c solib.c solib-svr4.c solib-legacy.c
  .if !defined(GDB_CROSS_DEBUGGER)
  LIBSRCS+= fbsd-threads.c
  .endif
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/arm/init.c
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/arm/init.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/arm/init.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -10,6 +10,7 @@ extern initialize_file_ftype _initialize
  extern initialize_file_ftype _initialize_corelow;
  extern initialize_file_ftype _initialize_solib;
  extern initialize_file_ftype _initialize_svr4_solib;
 +extern initialize_file_ftype _initialize_svr4_lm;
  extern initialize_file_ftype _initialize_ser_hardwire;
  extern initialize_file_ftype _initialize_ser_pipe;
  extern initialize_file_ftype _initialize_ser_tcp;
 @@ -122,6 +123,7 @@ initialize_all_files (void)
    _initialize_corelow ();
    _initialize_solib ();
    _initialize_svr4_solib ();
 +  _initialize_svr4_lm ();
    _initialize_ser_hardwire ();
    _initialize_ser_pipe ();
    _initialize_ser_tcp ();
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/i386/Makefile
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/i386/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/i386/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -5,7 +5,7 @@ GENSRCS+= xm.h
  LIBSRCS+= fbsd-proc.c fbsd-threads.c gcore.c
  LIBSRCS+= i386-nat.c i386bsd-nat.c i386fbsd-nat.c
  .endif
 -LIBSRCS+= solib.c solib-svr4.c
 +LIBSRCS+= solib.c solib-svr4.c solib-legacy.c
  LIBSRCS+= i386-tdep.c i386bsd-tdep.c i386fbsd-tdep-fixed.c i387-tdep.c
  
  nm.h:
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/i386/init.c
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/i386/init.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/i386/init.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -11,6 +11,7 @@ extern initialize_file_ftype _initialize
  extern initialize_file_ftype _initialize_corelow;
  extern initialize_file_ftype _initialize_solib;
  extern initialize_file_ftype _initialize_svr4_solib;
 +extern initialize_file_ftype _initialize_svr4_lm;
  extern initialize_file_ftype _initialize_ser_hardwire;
  extern initialize_file_ftype _initialize_ser_pipe;
  extern initialize_file_ftype _initialize_ser_tcp;
 @@ -126,6 +127,7 @@ initialize_all_files (void)
    _initialize_corelow ();
    _initialize_solib ();
    _initialize_svr4_solib ();
 +  _initialize_svr4_lm ();
    _initialize_ser_hardwire ();
    _initialize_ser_pipe ();
    _initialize_ser_tcp ();
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/ia64/Makefile
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/ia64/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/ia64/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -4,7 +4,7 @@
  LIBSRCS+= fbsd-proc.c fbsd-threads.c gcore.c
  LIBSRCS+= ia64-fbsd-nat.c
  .endif
 -LIBSRCS+= solib.c solib-svr4.c
 +LIBSRCS+= solib.c solib-svr4.c solib-legacy.c
  LIBSRCS+= ia64-fbsd-tdep.c ia64-tdep.c
  
  nm.h:
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/ia64/init.c
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/ia64/init.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/ia64/init.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -10,6 +10,7 @@ extern initialize_file_ftype _initialize
  extern initialize_file_ftype _initialize_ia64_tdep;
  extern initialize_file_ftype _initialize_solib;
  extern initialize_file_ftype _initialize_svr4_solib;
 +extern initialize_file_ftype _initialize_svr4_lm;
  extern initialize_file_ftype _initialize_ser_hardwire;
  extern initialize_file_ftype _initialize_ser_pipe;
  extern initialize_file_ftype _initialize_ser_tcp;
 @@ -122,6 +123,7 @@ initialize_all_files (void)
    _initialize_ia64_tdep ();
    _initialize_solib ();
    _initialize_svr4_solib ();
 +  _initialize_svr4_lm ();
    _initialize_ser_hardwire ();
    _initialize_ser_pipe ();
    _initialize_ser_tcp ();
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/mips/Makefile
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/mips/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/mips/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -3,7 +3,7 @@
  .if !defined(GDB_CROSS_DEBUGGER)
  LIBSRCS+= mipsfbsd-nat.c fbsd-threads.c
  .endif
 -LIBSRCS+= solib.c solib-svr4.c
 +LIBSRCS+= solib.c solib-svr4.c solib-legacy.c
  LIBSRCS+= mips-tdep.c mipsfbsd-tdep.c fbsd-proc.c
  
  nm.h:
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/mips/init.c
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/mips/init.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/mips/init.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -121,6 +121,7 @@ initialize_all_files (void)
    _initialize_corelow ();
    _initialize_solib ();
    _initialize_svr4_solib ();
 +  _initialize_svr4_lm ();
    _initialize_ser_hardwire ();
    _initialize_ser_pipe ();
    _initialize_ser_tcp ();
 @@ -133,10 +134,8 @@ initialize_all_files (void)
    _initialize_infptrace ();
    _initialize_inftarg ();
    _initialize_thread_db ();
 -#if 0
    _initialize_svr4_lm ();
  #endif
 -#endif
    _initialize_remote ();
    _initialize_dcache ();
    _initialize_sr_support ();
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/powerpc/Makefile
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/powerpc/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/powerpc/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -4,7 +4,7 @@
  LIBSRCS+= fbsd-proc.c fbsd-threads.c gcore.c
  LIBSRCS+= ppcfbsd-nat.c
  .endif
 -LIBSRCS+= solib.c solib-svr4.c
 +LIBSRCS+= solib.c solib-svr4.c solib-legacy.c
  LIBSRCS+= ppc-sysv-tdep.c ppcfbsd-tdep.c rs6000-tdep.c
  
  nm.h:
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/powerpc/init.c
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/powerpc/init.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/powerpc/init.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -10,6 +10,7 @@ extern initialize_file_ftype _initialize
  extern initialize_file_ftype _initialize_corelow;
  extern initialize_file_ftype _initialize_solib;
  extern initialize_file_ftype _initialize_svr4_solib;
 +extern initialize_file_ftype _initialize_svr4_lm;
  extern initialize_file_ftype _initialize_ser_hardwire;
  extern initialize_file_ftype _initialize_ser_pipe;
  extern initialize_file_ftype _initialize_ser_tcp;
 @@ -122,6 +123,7 @@ initialize_all_files (void)
    _initialize_corelow ();
    _initialize_solib ();
    _initialize_svr4_solib ();
 +  _initialize_svr4_lm ();
    _initialize_ser_hardwire ();
    _initialize_ser_pipe ();
    _initialize_ser_tcp ();
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/powerpc64/Makefile
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/powerpc64/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/powerpc64/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -4,7 +4,7 @@
  LIBSRCS+= fbsd-proc.c fbsd-threads.c gcore.c
  LIBSRCS+= ppcfbsd-nat.c
  .endif
 -LIBSRCS+= solib.c solib-svr4.c
 +LIBSRCS+= solib.c solib-svr4.c solib-legacy.c
  LIBSRCS+= ppc-sysv-tdep.c ppcfbsd-tdep.c rs6000-tdep.c
  
  nm.h:
 
 Modified: stable/9/gnu/usr.bin/gdb/arch/powerpc64/init.c
 ==============================================================================
 --- stable/9/gnu/usr.bin/gdb/arch/powerpc64/init.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/gnu/usr.bin/gdb/arch/powerpc64/init.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -10,6 +10,7 @@ extern initialize_file_ftype _initialize
  extern initialize_file_ftype _initialize_corelow;
  extern initialize_file_ftype _initialize_solib;
  extern initialize_file_ftype _initialize_svr4_solib;
 +extern initialize_file_ftype _initialize_svr4_lm;
  extern initialize_file_ftype _initialize_ser_hardwire;
  extern initialize_file_ftype _initialize_ser_pipe;
  extern initialize_file_ftype _initialize_ser_tcp;
 @@ -122,6 +123,7 @@ initialize_all_files (void)
    _initialize_corelow ();
    _initialize_solib ();
    _initialize_svr4_solib ();
 +  _initialize_svr4_lm ();
    _initialize_ser_hardwire ();
    _initialize_ser_pipe ();
    _initialize_ser_tcp ();
 
 Modified: stable/9/kerberos5/usr.bin/kadmin/Makefile
 ==============================================================================
 --- stable/9/kerberos5/usr.bin/kadmin/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/kerberos5/usr.bin/kadmin/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -29,11 +29,11 @@ CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DI
  DPADD=	${LIBKADM5CLNT} ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBHX509} \
  	${LIBSL} ${LIBROKEN} ${LIBVERS} ${LIBASN1} \
  	${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} \
 -	${LIBREADLINE} ${LIBNCURSES} ${LDAPDPADD}
 +	${LIBEDIT} ${LIBNCURSES} ${LDAPDPADD}
  LDADD=	-lkadm5clnt -lkadm5srv -lhdb -lkrb5 -lhx509 \
  	${LIBSL} -lroken ${LIBVERS} -lasn1 \
  	-lcrypto -lcrypt -lcom_err \
 -	-lreadline -lncurses ${LDAPLDADD}
 +	-ledit -lncurses ${LDAPLDADD}
  LDFLAGS=${LDAPLDFLAGS}
  
  .include <bsd.prog.mk>
 
 Modified: stable/9/kerberos5/usr.sbin/ktutil/Makefile
 ==============================================================================
 --- stable/9/kerberos5/usr.sbin/ktutil/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/kerberos5/usr.sbin/ktutil/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -18,10 +18,10 @@ SRCS=	add.c \
  CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/sl -I.
  DPADD=	${LIBKADM5CLNT} ${LIBKRB5} ${LIBHX509} ${LIBSL} ${LIBROKEN} ${LIBVERS} \
  	${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} \
 -	${LIBREADLINE} ${LIBNCURSES}
 +	${LIBEDIT} ${LIBNCURSES}
  LDADD=	-lkadm5clnt -lkrb5 -lhx509 ${LIBSL} -lroken ${LIBVERS} \
  	-lasn1 -lcrypto -lcrypt -lcom_err \
 -	-lreadline -lncurses
 +	-ledit -lncurses
  
  .include <bsd.prog.mk>
  
 
 Modified: stable/9/rescue/rescue/Makefile
 ==============================================================================
 --- stable/9/rescue/rescue/Makefile	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/rescue/rescue/Makefile	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -123,9 +123,9 @@ CRUNCH_LIBS+= -lalias -lcam -lcurses -ld
  CRUNCH_LIBS+= -lipx
  .endif
  .if ${MK_ZFS} != "no"
 -CRUNCH_LIBS+= -lavl -lnvpair -lpthread -lzfs -luutil -lumem
 +CRUNCH_LIBS+= -lavl -lnvpair -lzfs -lpthread -luutil -lumem
  .endif
 -CRUNCH_LIBS+= -lgeom -lbsdxml -ljail -lkiconv -lmd -lreadline -lsbuf -lufs -lz
 +CRUNCH_LIBS+= -lgeom -lbsdxml -ljail -lkiconv -lmd -lsbuf -lufs -lz
  
  .if ${MACHINE_CPUARCH} == "i386"
  CRUNCH_PROGS_sbin+= bsdlabel sconfig fdisk
 
 Modified: stable/9/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
 ==============================================================================
 --- stable/9/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -1357,7 +1357,9 @@ fr_info_t *fin;
  		else
  			sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
  					htonl(m->m_pkthdr.csum_data +
 -					fin->fin_ip->ip_len + fin->fin_p));
 +					fin->fin_ip->ip_len -
 +					(fin->fin_ip->ip_hl << 2) +
 +					fin->fin_p));
  		sum ^= 0xffff;
  		if (sum != 0) {
  			fin->fin_flx |= FI_BAD;
 
 Modified: stable/9/sys/fs/ext2fs/ext2_bmap.c
 ==============================================================================
 --- stable/9/sys/fs/ext2fs/ext2_bmap.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/sys/fs/ext2fs/ext2_bmap.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -66,7 +66,6 @@ ext2_bmap(ap)
  		int *a_runb;
  	} */ *ap;
  {
 -	int32_t blkno;
  	int error;
  
  	/*
 @@ -78,9 +77,8 @@ ext2_bmap(ap)
  	if (ap->a_bnp == NULL)
  		return (0);
  
 -	error = ext2_bmaparray(ap->a_vp, ap->a_bn, &blkno,
 +	error = ext2_bmaparray(ap->a_vp, ap->a_bn, ap->a_bnp,
  	    ap->a_runp, ap->a_runb);
 -	*ap->a_bnp = blkno;
  	return (error);
  }
  
 @@ -101,8 +99,8 @@ ext2_bmap(ap)
  int
  ext2_bmaparray(vp, bn, bnp, runp, runb)
  	struct vnode *vp;
 -	int32_t bn;
 -	int32_t *bnp;
 +	daddr_t bn;
 +	daddr_t *bnp;
  	int *runp;
  	int *runb;
  {
 @@ -112,8 +110,8 @@ ext2_bmaparray(vp, bn, bnp, runp, runb)
  	struct mount *mp;
  	struct vnode *devvp;
  	struct indir a[NIADDR+1], *ap;
 -	int32_t daddr;
 -	long metalbn;
 +	daddr_t daddr;
 +	daddr_t metalbn;
  	int error, num, maxrun = 0, bsize;
  	int *nump;
  
 @@ -147,7 +145,7 @@ ext2_bmaparray(vp, bn, bnp, runp, runb)
  		if (*bnp == 0) {
  			*bnp = -1;
  		} else if (runp) {
 -			int32_t bnb = bn;
 +			daddr_t bnb = bn;
  			for (++bn; bn < NDADDR && *runp < maxrun &&
  			    is_sequential(ump, ip->i_db[bn - 1], ip->i_db[bn]);
  			    ++bn, ++*runp);
 
 Modified: stable/9/sys/fs/ext2fs/ext2_extern.h
 ==============================================================================
 --- stable/9/sys/fs/ext2fs/ext2_extern.h	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/sys/fs/ext2fs/ext2_extern.h	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -54,7 +54,7 @@ int	ext2_blkatoff(struct vnode *, off_t,
  void	ext2_blkfree(struct inode *, int32_t, long);
  int32_t	ext2_blkpref(struct inode *, int32_t, int, int32_t *, int32_t);
  int	ext2_bmap(struct vop_bmap_args *);
 -int	ext2_bmaparray(struct vnode *, int32_t, int32_t *, int *, int *);
 +int	ext2_bmaparray(struct vnode *, daddr_t, daddr_t *, int *, int *);
  void	ext2_clusteracct(struct m_ext2fs *, char *, int, daddr_t, int);
  void	ext2_dirbad(struct inode *ip, doff_t offset, char *how);
  void	ext2_ei2i(struct ext2fs_dinode *, struct inode *);
 
 Modified: stable/9/sys/fs/ext2fs/ext2_vnops.c
 ==============================================================================
 --- stable/9/sys/fs/ext2fs/ext2_vnops.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/sys/fs/ext2fs/ext2_vnops.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -1429,29 +1429,28 @@ ext2_strategy(ap)
  	struct vnode *vp = ap->a_vp;
  	struct inode *ip;
  	struct bufobj *bo;
 -	int32_t blkno;
  	int error;
  
  	ip = VTOI(vp);
  	if (vp->v_type == VBLK || vp->v_type == VCHR)
  		panic("ext2_strategy: spec");
  	if (bp->b_blkno == bp->b_lblkno) {
 -		error = ext2_bmaparray(vp, bp->b_lblkno, &blkno, NULL, NULL);
 -		bp->b_blkno = blkno;
 +		error = ext2_bmaparray(vp, bp->b_lblkno, &bp->b_blkno, NULL, NULL);
  		if (error) {
  			bp->b_error = error;
  			bp->b_ioflags |= BIO_ERROR;
  			bufdone(bp);
  			return (0);
  		}
 -		if ((long)bp->b_blkno == -1)
 +		if (bp->b_blkno == -1)
  			vfs_bio_clrbuf(bp);
  	}
 -	if ((long)bp->b_blkno == -1) {
 +	if (bp->b_blkno == -1) {
  		bufdone(bp);
  		return (0);
  	}
  	bp->b_iooffset = dbtob(bp->b_blkno);
 +	printf("%s: bp->b_iooffset %lld, bp->b_blkno %lld\n", __func__, (long long) bp->b_iooffset, (long long) bp->b_blkno);
  	bo = VFSTOEXT2(vp->v_mount)->um_bo;
  	BO_STRATEGY(bo, bp);
  	return (0);
 @@ -1752,6 +1751,7 @@ ext2_read(ap)
  		if (bytesinfile < xfersize)
  			xfersize = bytesinfile;
  
 +		printf("%s: lbn %lld\n", __func__, (long long) lbn);
  		if (lblktosize(fs, nextlbn) >= ip->i_size)
  			error = bread(vp, lbn, size, NOCRED, &bp);
  		else if ((vp->v_mount->mnt_flag & MNT_NOCLUSTERR) == 0)
 
 Modified: stable/9/usr.bin/grep/util.c
 ==============================================================================
 --- stable/9/usr.bin/grep/util.c	Thu Oct  4 09:02:38 2012	(r241191)
 +++ stable/9/usr.bin/grep/util.c	Thu Oct  4 09:49:53 2012	(r241192)
 @@ -336,10 +336,6 @@ procline(struct str *l, int nottext)
  			break;
  		}
  
 -		/* One pass if we are not recording matches */
 -		if ((color == NULL && !oflag) || qflag || lflag)
 -			break;
 -
  		if (st == (size_t)pmatch.rm_so)
  			break; 	/* No matches */
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
