When reassembled IPv6 fragments are NATed or RDRed by pf, the

checksum has to be recalculated before the packet is fragmented
again.  Put a missing in6_proto_cksum_out() into pf_refragment6().
This makes run-regress-frag6 and run-regress-frag6-ext pass again.
From Matthias Pitzl; OK henning@

diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index f0342fc..0601fe2 100644 (file)
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf_norm.c,v 1.165 2014/03/27 12:07:48 jca Exp $ */
+/*     $OpenBSD: pf_norm.c,v 1.166 2014/07/13 17:41:04 bluhm Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -703,6 +703,9 @@ pf_refragment6(struct mbuf **m0, struct m_tag *mtag, int dir)
        mtag = NULL;
        ftag = NULL;
 
+       /* Checksum must be calculated for the whole packet */
+       in6_proto_cksum_out(m, NULL);
+
        if (extoff) {
                int off;