diff --git a/share/man/man9/mbuf.9 b/share/man/man9/mbuf.9
--- a/share/man/man9/mbuf.9
+++ b/share/man/man9/mbuf.9
@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd August 1, 2025
+.Dd January 20, 2026
 .Dt MBUF 9
 .Os
 .\"
@@ -1216,13 +1216,14 @@
 is not set, since SCTP does not use a pseudo header checksum.
 .Pp
 If IP delivers a packet with the flags
+.Dv CSUM_IP ,
 .Dv CSUM_SCTP ,
 .Dv CSUM_TCP ,
 or
 .Dv CSUM_UDP
 set in
 .Va csum_flags
-to a local SCTP, TCP, or UDP stack, the packet will be processed without
+to a local IP, SCTP, TCP, or UDP stack, the packet will be processed without
 computing or validating the checksum, since the packet has not been on the
 wire.
 This can happen if the packet was handled by a virtual interface such as
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -359,15 +359,20 @@
 	}
 
 	/*
-	 * Decrement the TTL and incrementally change the IP header checksum.
-	 * Don't bother doing this with hw checksum offloading, it's faster
-	 * doing it right here.
+	 * Decrement the TTL.
+	 * If the IP header checksum field contains a valid value, incrementally
+	 * change this value. Don't use hw checksum offloading, which would
+	 * recompute the checksum. It's faster to just change it here
+	 * according to the decremented TTL.
+	 * If the checksum still needs to be computed, don't touch it.
 	 */
 	ip->ip_ttl -= IPTTLDEC;
-	if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8))
-		ip->ip_sum -= ~htons(IPTTLDEC << 8);
-	else
-		ip->ip_sum += htons(IPTTLDEC << 8);
+	if (__predict_true((m->m_pkthdr.csum_flags & CSUM_IP) == 0)) {
+		if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8))
+			ip->ip_sum -= ~htons(IPTTLDEC << 8);
+		else
+			ip->ip_sum += htons(IPTTLDEC << 8);
+	}
 #ifdef IPSTEALTH
 	}
 #endif
@@ -465,9 +470,18 @@
 		gw = (const struct sockaddr *)dst;
 
 	/*
-	 * If TCP/UDP header still needs a valid checksum and interface will not
-	 * calculate it for us, do it here.
+	 * If the IP/SCTP/TCP/UDP header still needs a valid checksum and the
+	 * interface will not calculate it for us, do it here.
+	 * Note that if we defer checksum calculation, we might send an ICMP
+	 * message later that reflects this packet, which still has an
+	 * invalid checksum.
 	 */
+	if (__predict_false(m->m_pkthdr.csum_flags & CSUM_IP &
+	    ~nh->nh_ifp->if_hwassist)) {
+		ip->ip_sum = 0;
+		ip->ip_sum = in_cksum(m, (ip->ip_hl << 2));
+		m->m_pkthdr.csum_flags &= ~CSUM_IP;
+	}
 	if (__predict_false(m->m_pkthdr.csum_flags & CSUM_DELAY_DATA &
 	    ~nh->nh_ifp->if_hwassist)) {
 		in_delayed_cksum(m);
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -532,6 +532,12 @@
 
 	if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) {
 		sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
+	} else if (m->m_pkthdr.csum_flags & CSUM_IP) {
+		/*
+		 * Packet from local host that offloaded checksum computation.
+		 * Checksum not required since the packet wasn't on the wire.
+		 */
+		sum = 0;
 	} else {
 		if (hlen == sizeof(struct ip)) {
 			sum = in_cksum_hdr(ip);