move pf_test check to happen after checksum calculation - without

this packets originating from this host (such as with an rdr to localhost
for transparent proxying) do not get checksummed correctly, because the
pf code does not have a correct checksum to fix up (ok kjell@)

1 files changed, 14 insertions, 13 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 42a69af4bee..d089d2d71c9 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.131 2001/06/28 21:53:42 provos Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.132 2001/06/29 18:36:17 beck Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -638,18 +638,6 @@ sendit:
 	}
 #endif /* IPSEC */
 
-	/*
-	 * Packet filter
-	 */
-#if NPF > 0
-	if (pf_test(PF_OUT, ifp, &m) != PF_PASS) {
-		error = EHOSTUNREACH;
-		m_freem(m);
-		goto done;
-	}
-	ip = mtod(m, struct ip *);
-	hlen = ip->ip_hl << 2;
-#endif
 	/* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
 	if (m->m_pkthdr.csum & M_TCPV4_CSUM_OUT) {
 		if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) ||
@@ -666,6 +654,19 @@ sendit:
 	}
 
 	/*
+	 * Packet filter
+	 */
+#if NPF > 0
+	if (pf_test(PF_OUT, ifp, &m) != PF_PASS) {
+		error = EHOSTUNREACH;
+		m_freem(m);
+		goto done;
+	}
+	ip = mtod(m, struct ip *);
+	hlen = ip->ip_hl << 2;
+#endif
+
+	/*
 	 * If small enough for interface, can just send directly.
 	 */
 	if ((u_int16_t)ip->ip_len <= ifp->if_mtu) {