After reading further related DHCP checksum issue, it seems we need that rules when you running DHCP on same host machine where your guest using host DHCP service, in that case virtual nic won't do checksum. If your DHCP running on different host then your physical nic perform checksum.
On Sun, Aug 5, 2018 at 4:39 PM, Satish Patel <satish....@gmail.com> wrote: > Florian, > > I have removed those port 80 CHECKSUM rules and everything looks good > i didn't see kernel WARN mesg. > > Thank you so much! You just nailed it :) > > On Sun, Aug 5, 2018 at 4:15 PM, Satish Patel <satish....@gmail.com> wrote: >> Florian, >> >> It seems those rules coming from here >> https://github.com/openstack/openstack-ansible-os_neutron/blob/master/files/post-up-metadata-checksum >> >> On Sun, Aug 5, 2018 at 4:09 PM, Satish Patel <satish....@gmail.com> wrote: >>> Yes this is openstack-ansible deployment tool which set them up. I am >>> wondering where are these rules saved? I believe openstack-ansible use >>> LXC container to deploy services so must be part of LXC startup >>> scripts. >>> >>> I have checked there is no firewalld and iptables service running on >>> system.. >>> >>> You think i should get rid of all CHEKSUM option in iptables rules? Am i >>> right? >>> >>> >>> On Sun, Aug 5, 2018 at 4:02 PM, Florian Westphal <f...@strlen.de> wrote: >>>> Satish Patel <satish....@gmail.com> wrote: >>>>> > [84166:59495417] -A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM >>>>> > --checksum-fill >>>>> > [68739:5153476] -A POSTROUTING -p tcp -m tcp --sport 8000 -j CHECKSUM >>>>> > --checksum-fill >>>> >>>> These rules make no sense to me, and are also source of your backtrace. >>>> Who set this up? >>>> >>>> If this is coming from openstack, I suggest asking openstack developers >>>> WTH this is supposed to do. >>>> >>>>> > [755:275452] -A POSTROUTING -s 10.0.3.0/24 -o lxcbr0 -p udp -m udp >>>>> > --dport 68 -j CHECKSUM --checksum-fill >>>> >>>> This was needed to work around dhcpd issues w. checksum offloading but I >>>> guess that DCHCP will work fine without this rule too nowadays. >>>> >>>> So I suggest you simply get rid of these rules.
