Bug 642355 - Update iptables to a version that supports "--checksum-fill"
Update iptables to a version that supports "--checksum-fill"
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
14
All Linux
low Severity medium
: ---
: ---
Assigned To: Libvirt Maintainers
Fedora Extras Quality Assurance
:
: 628219 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-12 12:59 EDT by Jóhann B. Guðmundsson
Modified: 2011-12-06 22:52 EST (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 22:52:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jóhann B. Guðmundsson 2010-10-12 12:59:03 EDT
Description of problem:

Looks like the virtualsation guy's forgot to ping you guys to upgrade to iptables version that supports  "--checksum-fill" before they started to implement and ship it..

Version-Release number of selected component (if applicable):

iptables-1.4.9-1.fc14 + libvirt-0.8.3-3.fc14

How reproducible:

When you start/restart libvirt.. 

Steps to Reproduce:
1. Install @virtualsation group
2. start/restart libvirt
3.
  
Actual results:

"libvirtd: 16:39:51.345: error : virRunWithHook:857 : internal error '/sbin/iptables --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.9: unknown option `--checksum-fill'#012Try `iptables -h' or 'iptables --help' for more information.#012" 

Expected results:

No error et al.. 

Additional info:

They seemed to have implemented this to workaround some broken dhcp clients that don't expect partial checksums.
Comment 1 Thomas Woerner 2010-10-12 14:20:07 EDT
xt_CHECKSUM is not available in the F-14 kernel. (latest build: kernel-2.6.35.6-40.fc14).

If xt_CHECKSUM has been added to the kernel, please reassign to iptables.

Reassigning to kernel.
Comment 2 Thomas Woerner 2010-10-12 14:41:51 EDT
Please cherry-pick these upstream commits into the kernel:

edf0e1fb0d0910880881523cfaaabcec06a2c0d5
22cb516696304a9b85892b18c483a27d97cfa51b
Comment 3 Andrew Haveland-Robinson 2010-10-14 20:35:04 EDT
(In reply to comment #0)

> Looks like the virtualsation guy's forgot to ping you guys to upgrade to
> iptables version that supports  "--checksum-fill" before they started to
> implement and ship it..

As an emergency measure I 'fixed it' with these commands:

/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT

/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT

Note that libvirtd won't delete the rules when it stops.
Comment 4 Laine Stump 2010-10-18 14:10:49 EDT
Andrew - you shouldn't need to add any rules. libvirt attempts to add thhe --checksum-fill rule in order to fix the checksums of dhcp packets for virtual guests running dhclient (which has a problem when it's running on the same physical hardware as the dhcp server *and* hardware checksum acceleration is enabled - the problem only shows up if you are using vhost-net for guest networking, which isn't officially supported in F14).

A successfully added --checksum-fill rule doesn't cause the packet to be accepted, and lack of the rule doesn't cause the packet to be denied; there is already another rule for that.

If your iptables/kernel doesn't support --checksum-fill, the same rules will have been added by libvirt as it used to add, so dhcp will continue to work with no extra workarounds required (unless you try loading the vhost-net module, in which case it will fail on some older guests that use dhclient, but there's nothing to do about that until both the kernel, then iptables, get updated to support --checksum-fill).
Comment 5 Andrew Haveland-Robinson 2010-10-20 13:33:55 EDT
Thanks Laine,
I'm not expert yet with VMs, so maybe I'm like the dog thinking it chased away the car because the result appeared to match the 'cure'. After half an hour of poking and prodding I could connect to the VM.
I expect problems while testing, but I don't know what else could have caused it to fail.
Comment 6 Laine Stump 2010-10-27 12:36:39 EDT
*** Bug 628219 has been marked as a duplicate of this bug. ***
Comment 7 Chuck Ebbert 2011-03-10 13:36:37 EST
We can't cherry-pick entire new features like the iptables checksum target into F14, because then someone would have to stay on top of security fixes for it. Libvirt should remove all references to that target in its scripts instead.
Comment 8 Fedora Admin XMLRPC Client 2011-09-22 13:57:18 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora Admin XMLRPC Client 2011-09-22 14:00:36 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Fedora Admin XMLRPC Client 2011-11-30 14:56:59 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Fedora Admin XMLRPC Client 2011-11-30 14:58:19 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 12 Fedora Admin XMLRPC Client 2011-11-30 15:03:08 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 13 Fedora Admin XMLRPC Client 2011-11-30 15:03:49 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Eric Blake 2011-12-06 22:52:51 EST
(In reply to comment #7)
> We can't cherry-pick entire new features like the iptables checksum target into
> F14, because then someone would have to stay on top of security fixes for it.
> Libvirt should remove all references to that target in its scripts instead.

Libvirt's probe for whether the feature is present, while noisy, is harmless.  Meanwhile, F15 has the newer kernel supporting the feature.  F14 is near end-of-life now, so I'm just going to close this as fixed in F15.

Note You need to log in before you can comment on or make changes to this bug.