>Number:         27007
>Category:       kern
>Synopsis:       ipf causes bad checksums on bridge interfaces
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 20 17:26:01 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Sebastian Ponitka
>Release:        NetBSD 2.0 BETA
>Organization:
>Environment:
NetBSD ghost 2.0_BETA NetBSD 2.0_BETA (ghost) #1: Mon Sep 20 18:34:01 CEST 2004  sebastian@ghost:/usr/src/sys/arch/i386/compile/ghost i386

>Description:
I would like to use a NetBSD 2.0 BETA box as a transparent filtering bridge. Got the latest 2.0 version from CVS (ipf Version 4.1.3). When I use the "ipf" flag with brconfig, the bridge stops forwarding TCP/UDP packets. ICMP works fine and I can write ipf rules that aply to these ICMP packets

This is my setup:

w2k-box --- ex0 bridge rtk0 --- target

From my w2k box I can ping the target and the target can ping my w2k-box. But neither UDP nor TCP connections work. A tcpdump (on the bridge box) shows that the TCP/UDP packets go out to the target, but I don't get any answer.

A tcdump (on the target) shows that the TCP/UDP packets have a bad checksums. When I remove the ipf on the bridge interface (-ipf) the checksums are OK and everything works fine.
>How-To-Repeat:

1. recompile kernel with "BRIDGE_IPF" option
2. write ipf rules that should allow anything
3. activate ipf on the bridge using the "ipf" option with brconfig

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: