* Daniel Hartmeier <[EMAIL PROTECTED]> [2008-02-14 16:37]:
> On Tue, Feb 12, 2008 at 07:40:14PM +0100, Helmut Schneider wrote:
>
> > Is that expected?
>
> No, it's a bug introduced with pf.c 1.534 after 4.1 was released.
>
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.533&r2=1.534&f=h
>
> For IPv6 TCP, calling pf_check_proto_cksum() with AF_INET will always
> fail. No RST will be generated, the 'proto-cksum' counter in pfctl -si
> output will increase instead.
>
> Henning?
this works, tested by Helmut, ok?
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.565
diff -u -p -r1.565 pf.c
--- pf.c 22 Nov 2007 02:01:46 -0000 1.565
+++ pf.c 15 Feb 2008 14:20:09 -0000
@@ -3240,10 +3240,22 @@ pf_test_rule(struct pf_rule **rm, struct
(r->rule_flag & PFRULE_RETURN)) &&
!(th->th_flags & TH_RST)) {
u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
- struct ip *h = mtod(m, struct ip *);
+ int len = 0;
+ struct ip *h4;
+ struct ip6_hdr *h6;
- if (pf_check_proto_cksum(m, off,
- ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET))
+ switch (af) {
+ case AF_INET:
+ h4 = mtod(m, struct ip *);
+ len = ntohs(h4->ip_len) - off;
+ break;
+ case AF_INET6:
+ h6 = mtod(m, struct ip6_hdr *);
+ len = ntohs(h6->ip6_plen) - (off - sizeof(*h6));
+ break;
+ }
+
+ if (pf_check_proto_cksum(m, off, len, IPPROTO_TCP, af))
REASON_SET(&reason, PFRES_PROTCKSUM);
else {
if (th->th_flags & TH_SYN)
