On Saturday 04 March 2006 15:51, Pieter de Boer wrote: > Adam McDougall wrote: > > Could someone possibly take a look at this and let me know if it > > looks 'broken' or if I might be doing something wrong? I am in > > a crunch to choose a firewall solution within a few weeks and it > > would help me to know if this issue can be solved. FreeBSD/pf > > seemed an appropriate solution so far, especially since it has > > CARP, pfsync, (and altq which im not using (yet?)). > > You could try compiling pf using CFLAGS=-O instead of -O2. This fixed a > checksum problem I had. That probably was an entirely different issue, > but perhaps it does help..
Can you try this patch and report back instead. Thanks and sorry for the delay. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
Index: pf_norm.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_norm.c,v
retrieving revision 1.16
diff -u -r1.16 pf_norm.c
--- pf_norm.c 19 Jan 2006 11:46:45 -0000 1.16
+++ pf_norm.c 4 Mar 2006 14:49:13 -0000
@@ -988,8 +988,12 @@
goto drop;
/* Clear IP_DF if the rule uses the no-df option */
- if (r->rule_flag & PFRULE_NODF)
+ if ((r->rule_flag & PFRULE_NODF) {
+ u_int16_t old = h->ip_off;
+
h->ip_off &= htons(~IP_DF);
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, old, h->ip_off, 0);
+ }
/* We will need other tests here */
if (!fragoff && !mff)
pgpGjkcw2UGFT.pgp
Description: PGP signature
