Connection from host to Jail CKSUM Incorrect

Hi,

I've made a simple setup:
EM0 - main network interface with public IP
VLAN0 on EM0
bridge0
epair interface for jail with internal IP
rc.conf
Code:
ifconfig_vlan0="inet 10.0.1.1 netmask 255.255.255.0 vlan 6 vlandev em0
ifconfig_bridge0="addm vlan0 up"

In the jail.conf i'm creating epair**b device and assigning an internal address to it.

Here is interface configuration on HOST
Code:
vlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=103<RXCSUM,TXCSUM,TSO4>
        ether c8:60:00:bd:ad:cf
        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
        inet6 fe80::ca60:ff:febd:adcf%vlan0 prefixlen 64 scopeid 0x7
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 6 vlanpcp: 0 parent interface: em0
        groups: vlan
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:33:dd:4d:5f:00
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair15a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 13 priority 128 path cost 2000
    member: vlan0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 2000000

epair15a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:50:00:0d:0a
        inet6 fe80::ff:50ff:fe00:d0a%epair15a prefixlen 64 scopeid 0xd
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair

Here is interface on jail
Code:
epair15b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:a0:00:0f:0b
        inet6 fe80::ff:a0ff:fe00:f0b%epair15b prefixlen 64 tentative scopeid 0x5
        inet 10.0.1.15 netmask 0xffffff00 broadcast 10.0.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair

So I'm trying to connect to nginx which is started in jail. What I'm getting is strange chksum which prevent from connection (tcpdump -nnn -e -vv inside jail):
Code:
16:05:59.264390 c8:60:00:bd:ad:cf > 02:ff:a0:00:0f:0b, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 128, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.1.1.46306 > 10.0.1.15.80: Flags , cksum 0x163e (incorrect -> 0x3a15), seq 542855385, win 8192, options [mss 1460,nop,wscale 6,sackOK,TS val 70561089 ecr 0], length 0

Interesting is that, ICMP is working as expected
Code:
16:10:27.836088 c8:60:00:bd:ad:cf > 02:ff:a0:00:0f:0b, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 128, id 8649, offset 0, flags [none], proto ICMP (1), length 84)
    10.0.1.1 > 10.0.1.15: ICMP echo request, id 42854, seq 0, length 64
16:10:27.836098 02:ff:a0:00:0f:0b > c8:60:00:bd:ad:cf, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 16829, offset 0, flags [none], proto ICMP (1), length 84)
    10.0.1.15 > 10.0.1.1: ICMP echo reply, id 42854, seq 0, length 64

If I add EM0 to Bridge0, everything starts working, however, I can't establish any connection in/out on host with world - so this is more annoying.
 
It might be due to hardware checksum offloading, try turning that off:
Code:
     -rxcsum, -txcsum, -rxcsum6, -txcsum6
             If the driver supports user-configurable checksum offloading,
             disable receive (or transmit) checksum offloading on the inter-
             face.  The feature can be turned off selectively per protocol
             family.  Use -rxcsum6, -txcsum6 for ip6(4) or -rxcsum, -txcsum
             otherwise.  These settings may not always be independent of each
             other.
 
Back
Top