Re: IP Filter does not seem to work correctly with bge(4) when hardware checksums are enabled

[Ignatios Souvatzis <is%netbsd.org@localhost>]

On Wed, Jan 28, 2009 at 12:30:01AM -0500, Greg A. Woods wrote:
> I think there's a similar problem to PR#34799 still happening with
> bge(4) in netbsd-4 on an HP Proliant box I'm setting up as a NAT and
> firewall.
> 
> I.e. ipmon is reporting "bad" packets blocked even though the "pass"
> rule they match is triggered.  (too bad "bad" isn't well documented!)
> 
> 
> ifconifg:
> 
> bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         
> capabilities=3f00<IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx>
>         
> caps_enabled=3f00<IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx>

Last time this was reported, I think the culprit was the hardware
checksumming, which ensures that the packets are correct *on the
wire*, but not yet in the machine's main memory. As I understand,
this would apply to transmitted packets only, but on a NAT box or
a router, most packets are transmitted at some point...

Switch .*SUM.* off for a quick test.

        -is