Red Hat Bugzilla – Bug 642355
Update iptables to a version that supports "--checksum-fill"
Last modified: 2011-12-06 22:52:51 EST
Description of problem:
Looks like the virtualsation guy's forgot to ping you guys to upgrade to iptables version that supports "--checksum-fill" before they started to implement and ship it..
Version-Release number of selected component (if applicable):
iptables-1.4.9-1.fc14 + libvirt-0.8.3-3.fc14
When you start/restart libvirt..
Steps to Reproduce:
1. Install @virtualsation group
2. start/restart libvirt
"libvirtd: 16:39:51.345: error : virRunWithHook:857 : internal error '/sbin/iptables --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.9: unknown option `--checksum-fill'#012Try `iptables -h' or 'iptables --help' for more information.#012"
No error et al..
They seemed to have implemented this to workaround some broken dhcp clients that don't expect partial checksums.
xt_CHECKSUM is not available in the F-14 kernel. (latest build: kernel-18.104.22.168-40.fc14).
If xt_CHECKSUM has been added to the kernel, please reassign to iptables.
Reassigning to kernel.
Please cherry-pick these upstream commits into the kernel:
(In reply to comment #0)
> Looks like the virtualsation guy's forgot to ping you guys to upgrade to
> iptables version that supports "--checksum-fill" before they started to
> implement and ship it..
As an emergency measure I 'fixed it' with these commands:
/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT
/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT
Note that libvirtd won't delete the rules when it stops.
Andrew - you shouldn't need to add any rules. libvirt attempts to add thhe --checksum-fill rule in order to fix the checksums of dhcp packets for virtual guests running dhclient (which has a problem when it's running on the same physical hardware as the dhcp server *and* hardware checksum acceleration is enabled - the problem only shows up if you are using vhost-net for guest networking, which isn't officially supported in F14).
A successfully added --checksum-fill rule doesn't cause the packet to be accepted, and lack of the rule doesn't cause the packet to be denied; there is already another rule for that.
If your iptables/kernel doesn't support --checksum-fill, the same rules will have been added by libvirt as it used to add, so dhcp will continue to work with no extra workarounds required (unless you try loading the vhost-net module, in which case it will fail on some older guests that use dhclient, but there's nothing to do about that until both the kernel, then iptables, get updated to support --checksum-fill).
I'm not expert yet with VMs, so maybe I'm like the dog thinking it chased away the car because the result appeared to match the 'cure'. After half an hour of poking and prodding I could connect to the VM.
I expect problems while testing, but I don't know what else could have caused it to fail.
*** Bug 628219 has been marked as a duplicate of this bug. ***
We can't cherry-pick entire new features like the iptables checksum target into F14, because then someone would have to stay on top of security fixes for it. Libvirt should remove all references to that target in its scripts instead.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
(In reply to comment #7)
> We can't cherry-pick entire new features like the iptables checksum target into
> F14, because then someone would have to stay on top of security fixes for it.
> Libvirt should remove all references to that target in its scripts instead.
Libvirt's probe for whether the feature is present, while noisy, is harmless. Meanwhile, F15 has the newer kernel supporting the feature. F14 is near end-of-life now, so I'm just going to close this as fixed in F15.