* Daniel Hartmeier <[EMAIL PROTECTED]> [2008-02-14 16:37]: > On Tue, Feb 12, 2008 at 07:40:14PM +0100, Helmut Schneider wrote: > > > Is that expected? > > No, it's a bug introduced with pf.c 1.534 after 4.1 was released. > > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.533&r2=1.534&f=h > > For IPv6 TCP, calling pf_check_proto_cksum() with AF_INET will always > fail. No RST will be generated, the 'proto-cksum' counter in pfctl -si > output will increase instead. > > Henning?
this works, tested by Helmut, ok? Index: pf.c =================================================================== RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.565 diff -u -p -r1.565 pf.c --- pf.c 22 Nov 2007 02:01:46 -0000 1.565 +++ pf.c 15 Feb 2008 14:20:09 -0000 @@ -3240,10 +3240,22 @@ pf_test_rule(struct pf_rule **rm, struct (r->rule_flag & PFRULE_RETURN)) && !(th->th_flags & TH_RST)) { u_int32_t ack = ntohl(th->th_seq) + pd->p_len; - struct ip *h = mtod(m, struct ip *); + int len = 0; + struct ip *h4; + struct ip6_hdr *h6; - if (pf_check_proto_cksum(m, off, - ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) + switch (af) { + case AF_INET: + h4 = mtod(m, struct ip *); + len = ntohs(h4->ip_len) - off; + break; + case AF_INET6: + h6 = mtod(m, struct ip6_hdr *); + len = ntohs(h6->ip6_plen) - (off - sizeof(*h6)); + break; + } + + if (pf_check_proto_cksum(m, off, len, IPPROTO_TCP, af)) REASON_SET(&reason, PFRES_PROTCKSUM); else { if (th->th_flags & TH_SYN)