Hi, I am playing about with NAT in OVS 2.6.1 and have come across an issue with TCP checksums when helpers are being used.
I have a setup of client -> OVS -> ftp server (all physical ports with no checksum offloading enabled the network cards). OVS is running kernel version 3.13. I am using rules such as these for testing purposes: cookie=0x0, duration=121.467s, table=0, n_packets=0, n_bytes=0, idle_age=121, ct_state=-trk,ip,in_port=4 actions=ct(commit,table=0,nat) cookie=0x0, duration=121.453s, table=0, n_packets=0, n_bytes=0, idle_age=121, ct_state=-trk,ip,in_port=3 actions=ct(commit,table=0,nat(src=10.0.0.5)) cookie=0x0, duration=121.462s, table=0, n_packets=0, n_bytes=0, idle_age=121, ct_state=+rel+trk,in_port=4 actions=output:3 cookie=0x0, duration=121.458s, table=0, n_packets=0, n_bytes=0, idle_age=121, ct_state=-rel+trk,in_port=4 actions=output:3 cookie=0x0, duration=121.449s, table=0, n_packets=0, n_bytes=0, idle_age=121, ct_state=+rel+trk,in_port=3 actions=output:4 cookie=0x0, duration=121.444s, table=0, n_packets=0, n_bytes=0, idle_age=121, ct_state=-rel+trk,in_port=3 actions=output:4 cookie=0x0, duration=121.440s, table=0, n_packets=0, n_bytes=0, idle_age=121, priority=0,arp,in_port=3 actions=output:4 cookie=0x0, duration=121.435s, table=0, n_packets=0, n_bytes=0, idle_age=121, priority=0,arp,in_port=4 actions=output:3 This works fine and I can establish FTP connections between client and server. However, when I introduce helper modules, I can no longer connect. I've narrowed this down to bad TCP checksums. Tracing through the code, the marking of the skb checksum data in the he ovs_ct_helper (datapath/conntrack.c) seems to be the cause (only happens in kernels < 4.6). When the packet is recirculated and upcalled to user-space, the following code ends up corrupting the TCP checksum: in datapath.c/queue_userspace_packet() /* Complete checksum if needed */ if (skb->ip_summed == CHECKSUM_PARTIAL && (err = skb_checksum_help(skb))) I have verified the checksums before and after this call and it goes from correct (taking into account the address translation) to invalid. In this case, it is the SYN packet of the FTP connection that has the bad checksum so there should be no payload changes involved from the helper. The checksum is updated correctly from the Netfilter NAT code so should not need CHECKSUM_PARTIAL set here? This will, obviously, not cover cases where the packet is modified by the helper. I will try to dig a bit more into this and report any further information. Thanks, John
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
