Bug 642355
| Summary: | Update iptables to a version that supports "--checksum-fill" | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jóhann B. Guðmundsson <johannbg> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 14 | CC: | andy, aquini, berrange, clalance, crobinso, dougsland, eblake, edgar.hoch, gansalmon, itamar, jforbes, jonathan, kernel-maint, laine, madhu.chinakonda, mst, selinux, twoerner, veillard, virt-maint |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-07 03:52:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jóhann B. Guðmundsson
2010-10-12 16:59:03 UTC
xt_CHECKSUM is not available in the F-14 kernel. (latest build: kernel-2.6.35.6-40.fc14). If xt_CHECKSUM has been added to the kernel, please reassign to iptables. Reassigning to kernel. Please cherry-pick these upstream commits into the kernel: edf0e1fb0d0910880881523cfaaabcec06a2c0d5 22cb516696304a9b85892b18c483a27d97cfa51b (In reply to comment #0) > Looks like the virtualsation guy's forgot to ping you guys to upgrade to > iptables version that supports "--checksum-fill" before they started to > implement and ship it.. As an emergency measure I 'fixed it' with these commands: /sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT /sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT Note that libvirtd won't delete the rules when it stops. Andrew - you shouldn't need to add any rules. libvirt attempts to add thhe --checksum-fill rule in order to fix the checksums of dhcp packets for virtual guests running dhclient (which has a problem when it's running on the same physical hardware as the dhcp server *and* hardware checksum acceleration is enabled - the problem only shows up if you are using vhost-net for guest networking, which isn't officially supported in F14). A successfully added --checksum-fill rule doesn't cause the packet to be accepted, and lack of the rule doesn't cause the packet to be denied; there is already another rule for that. If your iptables/kernel doesn't support --checksum-fill, the same rules will have been added by libvirt as it used to add, so dhcp will continue to work with no extra workarounds required (unless you try loading the vhost-net module, in which case it will fail on some older guests that use dhclient, but there's nothing to do about that until both the kernel, then iptables, get updated to support --checksum-fill). Thanks Laine, I'm not expert yet with VMs, so maybe I'm like the dog thinking it chased away the car because the result appeared to match the 'cure'. After half an hour of poking and prodding I could connect to the VM. I expect problems while testing, but I don't know what else could have caused it to fail. *** Bug 628219 has been marked as a duplicate of this bug. *** We can't cherry-pick entire new features like the iptables checksum target into F14, because then someone would have to stay on top of security fixes for it. Libvirt should remove all references to that target in its scripts instead. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. (In reply to comment #7) > We can't cherry-pick entire new features like the iptables checksum target into > F14, because then someone would have to stay on top of security fixes for it. > Libvirt should remove all references to that target in its scripts instead. Libvirt's probe for whether the feature is present, while noisy, is harmless. Meanwhile, F15 has the newer kernel supporting the feature. F14 is near end-of-life now, so I'm just going to close this as fixed in F15. |