Recalculate the IP and protocol checksums of packets (re)injected via

divert(4) sockets.

Recalculation of these checksums is necessary because (1) PF no longer
updates IP checksums as of pf.c rev 1.731, so translated packets that
are diverted to userspace (e.g. divert-packet with nat-to/rdr-to) will
have bad IP checksums and will be reinjected with bad IP checksums if
the userspace program doesn't correct the checksums; (2) the userspace
program may modify the packets, which would invalidate the checksums;
and (3) the divert(4) man page states that checksums are supposed to be
recalculated on reinjection.

This diff has been tested on a public webserver serving both IPv4/IPv6
for more than four weeks.  It has also been tested on a firewall with
divert-packet and nat-to/rdr-to where it transferred over 60GB of
FTP/HTTP/HTTPS/SSH/DNS/ICMP/ICMPv6 data correctly, using IPv4/IPv6
userspace programs that intentionally break the IP and protocol
checksums to confirm that recalculation is done correctly on
reinjection.  IPv6 extension headers were tested with Scapy.

Thanks to florian@ for testing the original version of the diff with
dnsfilter and Justin Mayes for testing the original version with Snort
inline.  Thanks also to todd@ for helping me in my search for the cause
of this bug.

I would especially like to thank blambert@ for reviewing many versions
of this diff, and providing guidance and tons of helpful feedback.

no objections from florian@
help/ok blambert@, ok henning@

0 files changed, 0 insertions, 0 deletions