On Thu, Aug 24, 2017 at 03:17:22PM +0200, Florian Westphal wrote: > Davide Caratti <dcaratti@xxxxxxxxxx> wrote: > > Small nit: may I suggest you to call skb_csum_hwoffload_help() instead of > > skb_checksum_help(), so that we avoid corrupting SCTP packets in case they > > hit xt_CHECKSUM target? > > Alternatively we could restrict the target to udp only. > > AFAIU the only reason this thing exists is to fix up udp checksum > for old dhcp clients that use AF_PACKET without evaluating the extra > metadata that indicates when a 'bad' checksum is in fact ok because it > is supposed to be filled in by hardware later. > > This can happen in virtual environemnt when such skb is directly passed > to vm. Based on what the documentation and the commit message of the commit introducing xt_CHECKSUM module say, it seems so. But I must admit I'm not sure where is the target is used and how (and why). In particular, our issue was most likely result of https://github.com/openstack/openstack-ansible-tests/blob/master/test-prepare-host.yml#L196-L197 where they explicitely confine it to TCP packets. Unfortunately these lines come from "Initial testing commit" so it's hard to say what the intention behind that was. Michal Kubecek -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
