From aa24757a1a71abafa6b591d4fc7f800051db90f5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 28 Mar 2018 11:19:18 +0200
Subject: [PATCH] netinet: err, fix checksumming for IPsec

---
 sys/netinet/ip_input.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 799a0fd011f..f94be86c26c 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1022,9 +1022,21 @@ ip_forward(struct mbuf *m, int srcrt)
 		m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t));
 	}
 #ifdef IPSTEALTH
-	if (V_ipstealth == 0)
+	if (V_ipstealth == 0) {
+#endif
+	/*
+	 * Decrement the TTL and incrementally change the IP header checksum.
+	 * Don't bother doing this with hw checksum offloading, it's faster
+	 * doing it right here.
+	 */
+	ip->ip_ttl -= IPTTLDEC;
+	if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8))
+		ip->ip_sum -= ~htons(IPTTLDEC << 8);
+	else
+		ip->ip_sum += htons(IPTTLDEC << 8);
+#ifdef IPSTEALTH
+        }
 #endif
-		ip->ip_ttl -= IPTTLDEC;
 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	if (IPSEC_ENABLED(ipv4)) {
 		if ((error = IPSEC_FORWARD(ipv4, m)) != 0) {