On Tue, Sep 21, 2010 at 10:27:45AM +0200, xming wrote: > > Newer versions of dhclient should also be OK: they detect > > that checksum is missing in the packet. Try it e.g. with > > a recent fedora guest as a client. > > I don't have fedora, but with the latest release (4.1.1-P1) on isc.org > it still behaves the same (see output at the bottom). > > > To solve the problem for old clients, recent kernels and iptables have > > support for CHECKSUM target. > > > > You can use this target to compute and fill in the checksum in > > a packet that lacks a checksum. > > > > Typical expected use: > > iptables -A POSTROUTING -t mangle -p udp --dport bootpc \ > > -j CHECKSUM --checksum-fill > > Nice trick :D Does it help? > > libvirt will program these for you if it sets up the server, > > maybe there needs a flag to tell it that server is local. > > I don't use libvirt. Does it help if you program the rule above? > My point is, there doesn't seem to be much working client and the only > working client is a ver very old one (pump), newer client do not work, > as opposite to what you have explained. Sorry if I misled you. dhclient in Fedora is ok and has been for a long while but the bugfix does not appear to be present in released clients from isc.org, or so it seems from examining the source. I don't know why and whether is was ever sent their way: it might be a good idea to talk to them on why they don't use the PACKET_AUXDATA checksum API linux has had since 2007. Meanwhile, you can try adding the patch from fedora. > To repeat myself, here is the situation: > > - DHCP server with vhost_net, all client w/o vhost_net work, clients > with vhost_net do not work except pump > - DHCP server w/o vhost_net, all clients work Hmm are you sure? I expect vhost net client to still not work. At least, the hack in qemu (that vhost-net disables) is for dhcp response packets, I do not see how it will help the server ... > - physical DHCP server, client with vhost *do* work. > Yes, qemu has a hack that catches typical use and will attach a checksum on receive. Unfortunately keeping that around made it all too easy for vendors to keep shipping buggy clients (and I presume server has a similar issue). So the only quick solution I have is to work around this in kernel: in this case by programming the iptables rule. -- MST -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
