Thanks Florian, FYI, I don't have any CHECKSUM configure in my iptables, i have following rules, also do you think this kernel WARNNING is just warning and not impacting my performance, based on that i have to decided criticality of this issue.
[root@ostack-infra-02 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 On Sun, Aug 5, 2018 at 5:48 AM, Florian Westphal <f...@strlen.de> wrote: > Satish Patel <satish....@gmail.com> wrote: >> I am installing openstack and as you know i have lots of bridges and >> vlan interface on my Linux CentOS 7.5 >> >> I was getting following error stack on 3.10 kernel and found this is >> kernel bug which required kernel upgrade so now i have upgraded my >> kernel to 4.17.12 but i am still seeing same kernel stack error on my >> dmesg >> >> I have disable TSO, LRO, SG & GSO on my NIC but still getting error >> just wanted to understand what is this and why it popping up > > Get rid of CHECKSUM target in the iptables rules. > This thing was added 8 years ago to work around dhcp bugs, I don't > think its use is needed anymore. > Try removing it and see that all VMs can still retrieve IP address > via DHCP. > > I'm curious as to the rules, normally CHECKSUM target should be > limited to -p udp --dport bootp; its bad idea to feed it normal > packets, its expensive to do this in software rather than have device > do the checksumming. > > As for fix, I'm tempted to send patch to make checksum target > eval a no-op & add deprecation warning on init... > > Other "fix" is to > > diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c > index 9f4151ec3e06..23a17dda604d 100644 > --- a/net/netfilter/xt_CHECKSUM.c > +++ b/net/netfilter/xt_CHECKSUM.c > @@ -25,8 +25,12 @@ MODULE_ALIAS("ip6t_CHECKSUM"); > static unsigned int > checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) > { > - if (skb->ip_summed == CHECKSUM_PARTIAL) > - skb_checksum_help(skb); > + if (skb->ip_summed == CHECKSUM_PARTIAL) { > + if (skb_shinfo(skb)->gso_size) > + skb->ip_summed = CHECKSUM_NONE; > + else > + skb_checksum_help(skb); > + } > > return XT_CONTINUE; > } > > (unfortunately, the target isn't restricted to POSTROUTING, sigh).