Re: [PATCHv2] ipv6: ip6mr: Recalc UDP checksum before forwarding
From: Brendan McGrath
Date: Sat Dec 16 2017 - 07:19:37 EST
The network diagram is very simple. It is just:
VM <------* MR --------> PH
Where:
MR = Multicast Router
VM = Virtual Machine (connected by a Virtual Interface using the
'virtio_net' driver)
PH = Physical Host (connected by a physical Ethernet connection)
* = The interface where the packet originates (the 'virtio net' interface)
Due to a MFC entry - the packet is forwarded from the virtio interface
to the physical interface. There is an assumption in this forwarding
process that the checksum would already be calculated.
But I have found that with 'tx checksum offloading' on - the
'virtio_net' driver does not appear to generate a checksum at all. The
assumption here is that the packet will only ever be seen internal to
the virtio network.
But this scenario sits outside both those assumptions - hence the issue.
This patch looked to address the assumption made in the forwarding
process - but I now think the issue is with the virtio assumption. Some
research on the Internet highlighted other issues with the virtio
assumption. They are:
1. Applications that look at the entire packet and validate checksum
themselves (such as some DHCP clients); and
2. Tunnels - where the packet is placed inside a tunnel as is and
delivered elsewhere
And of course this scenario.
This archived libvirt-users post actually gave me a couple of ideas to try:
https://www.redhat.com/archives/libvirt-users/2016-March/msg00034.html
When I disable tx checksum offloading on the virtio interface (via
'ethtool -K virbr0 tx off') - the checksum is calculated correctly and
everything works.
I can also get it to work by adding the following ip6filter entry:
ip6tables -t mangle -A POSTROUTING -o virbr0 -d ff00::/8 -j CHECKSUM
--checksum-fill
So I think this patch can be withdrawn in favour of one of these two
workarounds.
On 16/12/17 05:27, David Miller wrote:
From: Brendan McGrath <redmcg@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Dec 2017 22:37:03 +1100
Currently, when forwarding a multicast packet originating from a
Virtual Interface on a Multicast Router to one of its Physical
Interfaces, ip_summed is set to a value of CHECKSUM_UNNECESSARY and
the UDP checksum is not calculated.
The checksum value of the forwarded packet is left as is and
therefore rejected by the receiving machine(s).
This patch ensures the checksum is recalculated before forwarding.
Signed-off-by: Brendan McGrath <redmcg@xxxxxxxxxxxxxxxxxxx>
I still don't like this, UDP can't be the only protocol that goes
over multicast and might therefore have this problem.
Actually, I'm still also having trouble figuring out how this happens
in the first place.
Please draw a specific detailed network diagram, show the exact
configuration of each interface and exactly what driver runs that
interface, and show where the packet comes from, who creates it, and
where these checksum settings are done that lead to this problem.
Like Eric, I'm very suspicious and I think that there is some problem
with whoever builds or modifies this packet, and the code you are
touching has no business "fixing it up"
Thank you.