From frf@xocolatl.com  Tue Jul 24 19:08:14 2012
Return-Path: <frf@xocolatl.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 58E59106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Jul 2012 19:08:14 +0000 (UTC)
	(envelope-from frf@xocolatl.com)
Received: from sour.xocolatl.com (unknown [IPv6:2001:470:1f04:1be5::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 065AC8FC16
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Jul 2012 19:08:13 +0000 (UTC)
Received: from sour.xocolatl.com (localhost [127.0.0.1])
	by sour.xocolatl.com (8.14.5/8.14.5) with ESMTP id q6OJ8DqG034771
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Jul 2012 12:08:13 -0700 (PDT)
	(envelope-from frf@sour.xocolatl.com)
Received: (from frf@localhost)
	by sour.xocolatl.com (8.14.5/8.14.5/Submit) id q6OJ8Dro034770;
	Tue, 24 Jul 2012 12:08:13 -0700 (PDT)
	(envelope-from frf)
Message-Id: <201207241908.q6OJ8Dro034770@sour.xocolatl.com>
Date: Tue, 24 Jul 2012 12:08:13 -0700 (PDT)
From: frf@xocolatl.com
Reply-To: frf@xocolatl.com
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: IPv6 with AH broken ~2012.07.08.12.00.00
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         170116
>Category:       kern
>Synopsis:       IPv6 with AH broken ~2012.07.08.12.00.00
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 24 19:10:11 UTC 2012
>Closed-Date:    Fri Sep 07 09:51:27 UTC 2012
>Last-Modified:  Fri Sep 07 09:51:27 UTC 2012
>Originator:     frf@xocolatl.com
>Release:        FreeBSD 9.1-PRERELEASE
>Organization:
poor
>Environment:
System: FreeBSD ncst48.local.lab 9.0-STABLE FreeBSD 9.0-STABLE #52: Tue Jul 24
17:49:29 UTC 2012     root@ncst48.local.lab:/usr/obj/usr/src/sys/NCST48  i386


>Description:
	IPv6 TCP frames using AH are not transmitted and dropped, with error:

9.1-PRERELEASE (Current as of 2012.07.24.00.00)
kernel: in6_delayed_cksum: delayed m_pullup, m->len: 40 off: 46

9.0-STABLE (From 2012.07.08.12.15.00)
kernel: in_cksum_skip: out of data by 64369 (number varies)

9.0-STABLE (From 2012.07.08.12.00.00)
Works but prints in_cksum_skip error.

Broken: 
cvsup date=2012.07.08.12.15.00
 Edit src/sys/net/if_loop.c
  Add delta 1.143.2.2 2012.07.08.12.01.11 bz
 Edit src/sys/netinet/tcp_input.c
  Add delta 1.437.2.8 2012.07.08.12.12.34 bz
 Edit src/sys/netinet/tcp_output.c
  Add delta 1.184.2.4 2012.07.08.12.12.34 bz
 Edit src/sys/netinet/tcp_subr.c
  Add delta 1.383.2.4 2012.07.08.12.12.34 bz
 Edit src/sys/netinet/tcp_syncache.c
  Add delta 1.190.2.4 2012.07.08.12.12.34 bz
 Edit src/sys/netinet/tcp_timewait.c
  Add delta 1.316.2.4 2012.07.08.12.12.34 bz

Works:
cvsup date=2012.07.08.12.00.00
 Edit src/sys/net/if_loop.c
  Add delta 1.143.2.1 2011.09.23.00.51.37 kensmith
 Edit src/sys/netinet/tcp_input.c
  Add delta 1.437.2.7 2012.06.05.11.28.57 bz
 Edit src/sys/netinet/tcp_output.c
  Add delta 1.184.2.3 2012.05.19.18.32.31 bz
 Edit src/sys/netinet/tcp_subr.c
  Add delta 1.383.2.3 2012.05.05.07.55.50 glebius
 Edit src/sys/netinet/tcp_syncache.c
  Add delta 1.190.2.3 2012.05.19.18.32.31 bz
 Edit src/sys/netinet/tcp_timewait.c
  Add delta 1.316.2.3 2012.05.19.18.32.31 bz

>How-To-Repeat:

Configure IPv6 (autoconf or manual)
Configure ipsec via setkey and ipsec.conf
 add -6 <src ip6 addr> <dest ip6 addr> ah 0x123456 -A hmac-sha1 0x<long key>;
 add -6 <dest ip6 addr> <src ip6 addr> ah 0x123456 -A hmac-sha1 0x<long key>;
 spdadd  <src ip6 addr> <dest ip6 addr> any -P out ipsec ah/transport//require ;
 spdadd  <dest ip6 addr> <src ip6 addr> any -P in ipsec ah/transport//require;

TCP fails. From broken host; tcpdump shows no output but does show input from
other end. netstat -n show SYN_RECVD state for connetion.

ICMP works 

This worked prior to July 8th 2012.

>Fix:

Unknown, but breakage is related to changes to checksum and offload
processing in the above listed files MFC'd on July 8th by bz@freebsd.org

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Wed Jul 25 12:46:29 UTC 2012 
Responsible-Changed-Why:  
Take, as it is claimed to be my fault. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170116 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, frf@xocolatl.com
Cc:  
Subject: Re: kern/170116: IPv6 with AH broken ~2012.07.08.12.00.00
Date: Wed, 25 Jul 2012 12:55:08 +0000 (UTC)

 Hey,
 
 hmm what happens of you ifconfig lo0 -rxcsum6 -txcsum6 ?  Unless you
 are talking AH to local (same machine) IPs it should not matter.
 
 I think you found a totally different bug that is just exposed now,
 but could be wrong.   The kernel: in6_delayed_cksum: delayed m_pullup ..
 error is interesting; could you also please give me an ident of
 sys/netinet6/ip6_output.c ?
 
 
 /bz
 
 -- 
 Bjoern A. Zeeb                                 You have to have visions!
           Stop bit received. Insert coin for new address family.

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, frf@xocolatl.com
Cc:  
Subject: Re: kern/170116: IPv6 with AH broken ~2012.07.08.12.00.00
Date: Tue, 31 Jul 2012 05:10:10 +0000 (UTC)

 Hey,
 
 can you test this change; it should equally apply to HEAD and
 stable/9:
 
 
 http://people.freebsd.org/~bz/20120731-01-ipsec-v6.diff
 
 In case of IPsec he have to do delayed checksum calculations before
 adding any extension header, or rather before calling into IPsec
 processing as we may send the packet and not return IPv6 output
 processing here.
 
 PR:		kern/170116
 Tested by: 
 MFC After: 
 Index: sys/netinet6/ip6_output.c
 ===================================================================
 --- sys/netinet6/ip6_output.c	(revision 238894)
 +++ sys/netinet6/ip6_output.c	(working copy)
 @@ -305,6 +306,20 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *op
   		goto freehdrs;
   	case -1:                /* Do IPSec */
   		needipsec = 1;
 +		/*
 +		 * Do delayed checksums now, as we may send before returning.
 +		 */
 +		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
 +			plen = m->m_pkthdr.len - sizeof(*ip6);
 +			in6_delayed_cksum(m, plen, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
 +		}
 +#ifdef SCTP
 +		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
 +			sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
 +		}
 +#endif
   	case 0:                 /* No IPSec */
   	default:
   		break;
 
 -- 
 Bjoern A. Zeeb                                 You have to have visions!
           Stop bit received. Insert coin for new address family.

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/170116: commit references a PR
Date: Tue, 31 Jul 2012 05:44:20 +0000 (UTC)

 Author: bz
 Date: Tue Jul 31 05:44:03 2012
 New Revision: 238935
 URL: http://svn.freebsd.org/changeset/base/238935
 
 Log:
   Properly apply #ifdef INET and leave a comment that we are (will) apply
   delayed IPv6 checksum processing in ip6_output.c when doing IPsec.
   
   PR:		kern/170116
   MFC after:	3 days
 
 Modified:
   head/sys/netinet6/ip6_ipsec.c
 
 Modified: head/sys/netinet6/ip6_ipsec.c
 ==============================================================================
 --- head/sys/netinet6/ip6_ipsec.c	Tue Jul 31 05:34:54 2012	(r238934)
 +++ head/sys/netinet6/ip6_ipsec.c	Tue Jul 31 05:44:03 2012	(r238935)
 @@ -291,16 +291,16 @@ ip6_ipsec_output(struct mbuf **m, struct
  		/*
  		 * Do delayed checksums now because we send before
  		 * this is done in the normal processing path.
 -		 * XXX-BZ CSUM_DELAY_DATA_IPV6?
 +		 * For IPv6 we do delayed checksums in ip6_output.c.
  		 */
 +#ifdef INET
  		if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
  			ipseclog((LOG_DEBUG,
  			    "%s: we do not support IPv4 over IPv6", __func__));
 -#ifdef INET
  			in_delayed_cksum(*m);
 -#endif
  			(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
  		}
 +#endif
  
  		/*
  		 * Preserve KAME behaviour: ENOENT can be returned
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Robert Faulds <frf@xocolatl.com>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/170116: IPv6 with AH broken ~2012.07.08.12.00.00
Date: Tue, 31 Jul 2012 16:47:48 +0200

 Hey,
 
 Tested on HEAD and RELENG_9 from this morning.
 
 ip6 tcp and udp work fine with AH.
 
 I have a problem with sctp, but I have not verified it's related to this =
 test so you may want to check that on your side.
 
 
 It appears that the address selection algorithm may be broken, at least =
 in netperf. =20
 SCTP tests fail because the source addr of the reply is set to the wrong =
 addr if the interface has two ip6_addr's.
 
 e.g. tcpdump -ni em1 net fd5b:a4f4:35c::/48
 
 14:26:03.470676 IP6 fd5b:a4f4:35c:4ff:250:56ff:feba:29f1.51360 > =
 fd5b:a4f4:35c:404:250:56ff:feba:7d6c.48831: sctp (1) [COOKIE ECHO]=20
 14:26:03.470678 IP6 2001:1890:1c02:405:250:56ff:feba:7d6c.48831 > =
 fd5b:a4f4:35c:4ff:250:56ff:feba:29f1.51360: sctp (1) [COOKIE ACK]=20
 14:26:05.469733 IP6 fd5b:a4f4:35c:4ff:250:56ff:feba:29f1.51360 > =
 fd5b:a4f4:35c:404:250:56ff:feba:7d6c.48831: sctp (1) [COOKIE ECHO]=20
 14:26:05.469735 IP6 2001:1890:1c02:405:250:56ff:feba:7d6c.48831 > =
 fd5b:a4f4:35c:4ff:250:56ff:feba:29f1.51360: sctp (1) [COOKIE ACK]=20
 
 This is the netserver side:  RELENG_9
 
 fd5b:a4f4:35c:404:250:56ff:feba:7d6c is the incoming frame addressed to =
 the non-AH unique-local addr.=20
 2001:1890:1c02:405:250:56ff:feba:7d6c is the reply frame sourced with =
 the scope global-unique (also the AH SPD address)  instead of the =
 unique-local addr that it came in on.
 I even forced netserver to only listen on the unique-local address with =
 -L
 
 I have not witnessed this before but my sctp testing has been limited.
 
 
 Thanks for the help,
 Robert
 
 
 
 On Jul 31, 2012, at 7:10 AM, Bjoern A. Zeeb wrote:
 
 >=20
 > Hey,
 >=20
 > can you test this change; it should equally apply to HEAD and
 > stable/9:
 >=20
 >=20
 > http://people.freebsd.org/~bz/20120731-01-ipsec-v6.diff
 >=20
 > In case of IPsec he have to do delayed checksum calculations before
 > adding any extension header, or rather before calling into IPsec
 > processing as we may send the packet and not return IPv6 output
 > processing here.
 >=20
 > PR:		kern/170116
 > Tested by: MFC After: Index: sys/netinet6/ip6_output.c
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > --- sys/netinet6/ip6_output.c	(revision 238894)
 > +++ sys/netinet6/ip6_output.c	(working copy)
 > @@ -305,6 +306,20 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts =
 *op
 > 		goto freehdrs;
 > 	case -1:                /* Do IPSec */
 > 		needipsec =3D 1;
 > +		/*
 > +		 * Do delayed checksums now, as we may send before =
 returning.
 > +		 */
 > +		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
 > +			plen =3D m->m_pkthdr.len - sizeof(*ip6);
 > +			in6_delayed_cksum(m, plen, sizeof(struct =
 ip6_hdr));
 > +			m->m_pkthdr.csum_flags &=3D =
 ~CSUM_DELAY_DATA_IPV6;
 > +		}
 > +#ifdef SCTP
 > +		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
 > +			sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
 > +			m->m_pkthdr.csum_flags &=3D ~CSUM_SCTP_IPV6;
 > +		}
 > +#endif
 > 	case 0:                 /* No IPSec */
 > 	default:
 > 		break;
 >=20
 > --=20
 > Bjoern A. Zeeb                                 You have to have =
 visions!
 >         Stop bit received. Insert coin for new address family.
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/170116: commit references a PR
Date: Tue, 31 Jul 2012 23:34:18 +0000 (UTC)

 Author: bz
 Date: Tue Jul 31 23:34:06 2012
 New Revision: 238960
 URL: http://svn.freebsd.org/changeset/base/238960
 
 Log:
   In case of IPsec he have to do delayed checksum calculations before
   adding any extension header, or rather before calling into IPsec
   processing as we may send the packet and not return to IPv6 output
   processing here.
   
   PR:		kern/170116
   MFC After:	3 days
 
 Modified:
   head/sys/netinet6/ip6_output.c
 
 Modified: head/sys/netinet6/ip6_output.c
 ==============================================================================
 --- head/sys/netinet6/ip6_output.c	Tue Jul 31 22:25:29 2012	(r238959)
 +++ head/sys/netinet6/ip6_output.c	Tue Jul 31 23:34:06 2012	(r238960)
 @@ -306,6 +306,20 @@ ip6_output(struct mbuf *m0, struct ip6_p
  		goto freehdrs;
  	case -1:                /* Do IPSec */
  		needipsec = 1;
 +		/*
 +		 * Do delayed checksums now, as we may send before returning.
 +		 */
 +		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
 +			plen = m->m_pkthdr.len - sizeof(*ip6);
 +			in6_delayed_cksum(m, plen, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
 +		}
 +#ifdef SCTP
 +		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
 +			sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
 +		}
 +#endif
  	case 0:                 /* No IPSec */
  	default:
  		break;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: bz 
State-Changed-When: Tue Jul 31 23:43:41 UTC 2012 
State-Changed-Why:  
Committed to HEAD, will merge to stable/9 in a few days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170116 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/170116: commit references a PR
Date: Wed, 29 Aug 2012 13:14:54 +0000 (UTC)

 Author: bz
 Date: Wed Aug 29 13:14:39 2012
 New Revision: 239831
 URL: http://svn.freebsd.org/changeset/base/239831
 
 Log:
   MFC r238935:
   
     Properly apply #ifdef INET and leave a comment that we are (will) apply
     delayed IPv6 checksum processing in ip6_output.c when doing IPsec.
   
   PR:	kern/170116
 
 Modified:
   stable/9/sys/netinet6/ip6_ipsec.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/netinet6/ip6_ipsec.c
 ==============================================================================
 --- stable/9/sys/netinet6/ip6_ipsec.c	Wed Aug 29 13:10:34 2012	(r239830)
 +++ stable/9/sys/netinet6/ip6_ipsec.c	Wed Aug 29 13:14:39 2012	(r239831)
 @@ -291,16 +291,16 @@ ip6_ipsec_output(struct mbuf **m, struct
  		/*
  		 * Do delayed checksums now because we send before
  		 * this is done in the normal processing path.
 -		 * XXX-BZ CSUM_DELAY_DATA_IPV6?
 +		 * For IPv6 we do delayed checksums in ip6_output.c.
  		 */
 +#ifdef INET
  		if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
  			ipseclog((LOG_DEBUG,
  			    "%s: we do not support IPv4 over IPv6", __func__));
 -#ifdef INET
  			in_delayed_cksum(*m);
 -#endif
  			(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
  		}
 +#endif
  
  		/*
  		 * Preserve KAME behaviour: ENOENT can be returned
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/170116: commit references a PR
Date: Wed, 29 Aug 2012 13:19:46 +0000 (UTC)

 Author: bz
 Date: Wed Aug 29 13:19:27 2012
 New Revision: 239832
 URL: http://svn.freebsd.org/changeset/base/239832
 
 Log:
   MFC r238960:
   
     In case of IPsec he have to do delayed checksum calculations before
     adding any extension header, or rather before calling into IPsec
     processing as we may send the packet and not return to IPv6 output
     processing here.
   
   PR:	kern/170116
 
 Modified:
   stable/9/sys/netinet6/ip6_output.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/netinet6/ip6_output.c
 ==============================================================================
 --- stable/9/sys/netinet6/ip6_output.c	Wed Aug 29 13:14:39 2012	(r239831)
 +++ stable/9/sys/netinet6/ip6_output.c	Wed Aug 29 13:19:27 2012	(r239832)
 @@ -304,6 +304,20 @@ ip6_output(struct mbuf *m0, struct ip6_p
  		goto freehdrs;
  	case -1:                /* Do IPSec */
  		needipsec = 1;
 +		/*
 +		 * Do delayed checksums now, as we may send before returning.
 +		 */
 +		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
 +			plen = m->m_pkthdr.len - sizeof(*ip6);
 +			in6_delayed_cksum(m, plen, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
 +		}
 +#ifdef SCTP
 +		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
 +			sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
 +		}
 +#endif
  	case 0:                 /* No IPSec */
  	default:
  		break;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/170116: commit references a PR
Date: Fri,  7 Sep 2012 09:45:23 +0000 (UTC)

 Author: bz
 Date: Fri Sep  7 09:45:08 2012
 New Revision: 240194
 URL: http://svn.freebsd.org/changeset/base/240194
 
 Log:
   MFC r238935,238960:
   
     Properly apply #ifdef INET and leave a comment that we are (will) apply
     delayed IPv6 checksum processing in ip6_output.c when doing IPsec.
   
     In case of IPsec he have to do delayed checksum calculations before
     adding any extension header, or rather before calling into IPsec
     processing as we may send the packet and not return to IPv6 output
     processing here.
   
   PR:		kern/170116
   Approved by:	re (kib)
 
 Modified:
   releng/9.1/sys/netinet6/ip6_ipsec.c
   releng/9.1/sys/netinet6/ip6_output.c
 Directory Properties:
   releng/9.1/sys/   (props changed)
 
 Modified: releng/9.1/sys/netinet6/ip6_ipsec.c
 ==============================================================================
 --- releng/9.1/sys/netinet6/ip6_ipsec.c	Fri Sep  7 09:22:11 2012	(r240193)
 +++ releng/9.1/sys/netinet6/ip6_ipsec.c	Fri Sep  7 09:45:08 2012	(r240194)
 @@ -291,16 +291,16 @@ ip6_ipsec_output(struct mbuf **m, struct
  		/*
  		 * Do delayed checksums now because we send before
  		 * this is done in the normal processing path.
 -		 * XXX-BZ CSUM_DELAY_DATA_IPV6?
 +		 * For IPv6 we do delayed checksums in ip6_output.c.
  		 */
 +#ifdef INET
  		if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
  			ipseclog((LOG_DEBUG,
  			    "%s: we do not support IPv4 over IPv6", __func__));
 -#ifdef INET
  			in_delayed_cksum(*m);
 -#endif
  			(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
  		}
 +#endif
  
  		/*
  		 * Preserve KAME behaviour: ENOENT can be returned
 
 Modified: releng/9.1/sys/netinet6/ip6_output.c
 ==============================================================================
 --- releng/9.1/sys/netinet6/ip6_output.c	Fri Sep  7 09:22:11 2012	(r240193)
 +++ releng/9.1/sys/netinet6/ip6_output.c	Fri Sep  7 09:45:08 2012	(r240194)
 @@ -304,6 +304,20 @@ ip6_output(struct mbuf *m0, struct ip6_p
  		goto freehdrs;
  	case -1:                /* Do IPSec */
  		needipsec = 1;
 +		/*
 +		 * Do delayed checksums now, as we may send before returning.
 +		 */
 +		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
 +			plen = m->m_pkthdr.len - sizeof(*ip6);
 +			in6_delayed_cksum(m, plen, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
 +		}
 +#ifdef SCTP
 +		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
 +			sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
 +			m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
 +		}
 +#endif
  	case 0:                 /* No IPSec */
  	default:
  		break;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Fri Sep 7 09:50:59 UTC 2012 
State-Changed-Why:  
Changes also merged for 9.1-R now.  Thanks a lot for the report! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170116 
>Unformatted:
