Re: [PATCH v2] network: add rule to nftables backend that zeroes checksum of DHCP responses
On Tue, Oct 29, 2024 at 04:12:16PM +0100, Phil Sutter wrote:
Hi,
On Tue, Oct 29, 2024 at 09:30:27AM -0400, Laine Stump wrote:
> So when the extra rules are removed, then those same guests begin
> working? (You can easily remove the checksum rules with:
>
> nft delete chain ip libvirt_network postroute_mangle
>
> BTW, I just now tried an e1000e NIC on Fedora guest and it continues to
> work with the 0-checksum rules removed. In this case tcpdump on virbr0
> shows "bad cksum", but when I look at tcpdump on the guest, it shows
> "udp cksum ok" though, so something else somewhere is setting the
> checksum to the correct value.
FWIW, I just tested an alternative workaround using tc. This works for
me with a FreeBSD guest and NIC switched to either e1000 or virtio:
# tc qd add dev vnetbr0 root handle 1: htb
# tc filter add dev vnetbr0 prio 1 protocol ip parent 1: \
u32 match ip sport 67 ffff match ip dport 68 ffff \
action csum ip and udp
This feels like it is functionally closest to what we've had historically,
even though it is annoying to have to deal with 'tc' tool, in addition
to 'nft'. So I'm thinking this is probably the way we'll have to go.
Another alternative might be to add the nftables rule for
virtio-based
guests only.
The firewall rules are in a chain that's applied to all guests,
so we have no where to add a per-guest rule.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|