From nobody Thu Nov 21 12:35:20 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1730258534825927.8723142110667;
 Tue, 29 Oct 2024 20:22:14 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 7010F14E9; Tue, 29 Oct 2024 23:22:13 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 4E89A145E;
	Tue, 29 Oct 2024 23:21:36 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id E0C9A1442; Tue, 29 Oct 2024 23:21:32 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 156DD13C2
	for <devel@lists.libvirt.org>; Tue, 29 Oct 2024 23:21:32 -0400 (EDT)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-383-ygqz9GBPNFGc5x2jQgHBvw-1; Tue,
 29 Oct 2024 23:21:29 -0400
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 20C3B1955F65
	for <devel@lists.libvirt.org>; Wed, 30 Oct 2024 03:21:29 +0000 (UTC)
Received: from vhost3.router.laine.org (unknown [10.22.80.72])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id A9E001956056
	for <devel@lists.libvirt.org>; Wed, 30 Oct 2024 03:21:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1730258491;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RGTra39LOhj9TfAJjDrtlyYzxM4XnbsFH6Xiyxk+PKE=;
	b=GO0SNNhQkS5R6U6J2u5dUOi9wMT9Je2pPq/2Td1VaB0UTflO0L8OVOL5c4foKOgoN1uawJ
	2/K+dQA6V+SeL6IzZPm+LgQ6eoBvb3DF4HjSsdjVQYXKKMEcIsN7dappKHzeNjCDx3t8EX
	pMIudYLjTbn5v8PyWE3juaVxYso9SKo=
X-MC-Unique: ygqz9GBPNFGc5x2jQgHBvw-1
From: Laine Stump <laine@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH] Revert "network: add rule to nftables backend that zeroes
 checksum of DHCP responses"
Date: Tue, 29 Oct 2024 23:21:27 -0400
Message-ID: <20241030032127.364741-1-laine@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: IAELOESFKDQB4XSBUJEYI4FDKAMAOLDR
X-Message-ID-Hash: IAELOESFKDQB4XSBUJEYI4FDKAMAOLDR
X-MailFrom: laine@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/IAELOESFKDQB4XSBUJEYI4FDKAMAOLDR/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1730258535749116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

This reverts commit 42ab0148dd11727f7e3fd31dce4485469af290d5.

This patch was supposed to fix the checksum of dhcp response packets
by setting it to 0 (because having a non-0 but incorrect checksum was
causing the packets to be droppe on FreeBSD guests).

Early testing was positive, but after the patch was pushed upstream
and more people could test it, it turned out that while it fixed the
dhcp checksum problem for virtio-net interfaces on FreeBSD and
OpenBSD, it also *broke* dhcp checksums for the e1000 emulated NIC on
*all* guests (but not e1000e).

So we're reverting this fix and looking for something more universal
to be included in the next release.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
---
 src/network/network_nftables.c                | 69 -------------------
 tests/networkxml2firewalldata/base.nftables   | 14 ----
 .../forward-dev-linux.nftables                | 16 -----
 .../isolated-linux.nftables                   | 16 -----
 .../nat-default-linux.nftables                | 16 -----
 .../nat-ipv6-linux.nftables                   | 16 -----
 .../nat-ipv6-masquerade-linux.nftables        | 16 -----
 .../nat-many-ips-linux.nftables               | 16 -----
 .../nat-port-range-ipv6-linux.nftables        | 16 -----
 .../nat-port-range-linux.nftables             | 16 -----
 .../nat-tftp-linux.nftables                   | 16 -----
 .../route-default-linux.nftables              | 16 -----
 12 files changed, 243 deletions(-)

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index 5523207269..f8b5ab665d 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -51,7 +51,6 @@ VIR_LOG_INIT("network.nftables");
 #define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
 #define VIR_NFTABLES_FWD_X_CHAIN "guest_cross"
 #define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat"
-#define VIR_NFTABLES_MANGLE_POSTROUTE_CHAIN "postroute_mangle"
=20
 /* we must avoid using the standard "filter" table as used by
  * iptables, as any subsequent attempts to use iptables commands will
@@ -107,10 +106,6 @@ nftablesGlobalChain nftablesChains[] =3D {
=20
     /* chains for NAT rules */
     {NULL, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, "{ type nat hook postrouting =
priority 100; policy accept; }"},
-
-    /* chain for "mangle" rules that modify packets (e.g. 0 out UDP checks=
ums) */
-    {NULL, VIR_NFTABLES_MANGLE_POSTROUTE_CHAIN, "{ type filter hook postro=
uting priority 0; policy accept; }"},
-
 };
=20
=20
@@ -649,44 +644,6 @@ nftablesAddDontMasquerade(virFirewall *fw,
 }
=20
=20
-/**
- * nftablesAddOutputFixUdpChecksum:
- *
- * Add a rule to @fw that will 0 out the checksum of udp packets
- * output from @iface with destination port @port.
-
- * Zeroing the checksum of a UDP packet tells the receiving end "you
- * don't need to validate the checksum", which is useful in cases
- * where the host (sender) thinks that packet checksums will be
- * computed elsewhere (and so leaves a partially computed checksum in
- * the packet header) while the guest (receiver) thinks that the
- * checksum has already been fully computed; in the meantime none of
- * the code in between has actually finished computing the
- * checksum.
- *
- * An example of this is DHCP response packets from host to
- * guest. If the checksum of each of these packets isn't zeroed, then
- * many guests (e.g. FreeBSD) will drop them with reason BAD CHECKSUM;
- * if the packets arrive at those guests with a checksum of 0, they
- * will happily accept the packet.
- */
-static void
-nftablesAddOutputFixUdpChecksum(virFirewall *fw,
-                                const char *iface,
-                                int port)
-{
-    g_autofree char *portstr =3D g_strdup_printf("%d", port);
-
-    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
-                      "insert", "rule", "ip",
-                      VIR_NFTABLES_PRIVATE_TABLE,
-                      VIR_NFTABLES_MANGLE_POSTROUTE_CHAIN,
-                      "oif", iface, "udp", "dport", portstr,
-                      "counter", "udp", "checksum", "set", "0",
-                      NULL);
-}
-
-
 static const char networkLocalMulticastIPv4[] =3D "224.0.0.0/24";
 static const char networkLocalMulticastIPv6[] =3D "ff02::/16";
 static const char networkLocalBroadcast[] =3D "255.255.255.255/32";
@@ -944,30 +901,6 @@ nftablesAddGeneralFirewallRules(virFirewall *fw,
 }
=20
=20
-static void
-nftablesAddChecksumFirewallRules(virFirewall *fw,
-                                 virNetworkDef *def)
-{
-    size_t i;
-    virNetworkIPDef *ipv4def;
-
-    /* Look for the first IPv4 address that has dhcp or tftpboot
-     * defined. We support dhcp config on 1 IPv4 interface only.
-     */
-    for (i =3D 0; (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i))=
; i++) {
-        if (ipv4def->nranges || ipv4def->nhosts)
-            break;
-    }
-
-    /* If we are doing local DHCP service on this network, add a rule
-     * that will fixup the checksum of DHCP response packets back to
-     * the guests.
-     */
-    if (ipv4def)
-        nftablesAddOutputFixUdpChecksum(fw, def->bridge, 68);
-}
-
-
 static int
 nftablesAddIPSpecificFirewallRules(virFirewall *fw,
                                    virNetworkDef *def,
@@ -1019,8 +952,6 @@ nftablesAddFirewallRules(virNetworkDef *def, virFirewa=
ll **fwRemoval)
             return -1;
     }
=20
-    nftablesAddChecksumFirewallRules(fw, def);
-
     if (virFirewallApply(fw) < 0)
         return -1;
=20
diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml=
2firewalldata/base.nftables
index 6371fc12dd..a064318739 100644
--- a/tests/networkxml2firewalldata/base.nftables
+++ b/tests/networkxml2firewalldata/base.nftables
@@ -68,13 +68,6 @@ libvirt_network \
 guest_nat \
 '{ type nat hook postrouting priority 100; policy accept; }'
 nft \
-add \
-chain \
-ip \
-libvirt_network \
-postroute_mangle \
-'{ type filter hook postrouting priority 0; policy accept; }'
-nft \
 list \
 table \
 ip6 \
@@ -143,10 +136,3 @@ ip6 \
 libvirt_network \
 guest_nat \
 '{ type nat hook postrouting priority 100; policy accept; }'
-nft \
-add \
-chain \
-ip6 \
-libvirt_network \
-postroute_mangle \
-'{ type filter hook postrouting priority 0; policy accept; }'
diff --git a/tests/networkxml2firewalldata/forward-dev-linux.nftables b/tes=
ts/networkxml2firewalldata/forward-dev-linux.nftables
index 9dea1a88a4..8badb74beb 100644
--- a/tests/networkxml2firewalldata/forward-dev-linux.nftables
+++ b/tests/networkxml2firewalldata/forward-dev-linux.nftables
@@ -156,19 +156,3 @@ daddr \
 224.0.0.0/24 \
 counter \
 return
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/isolated-linux.nftables b/tests/=
networkxml2firewalldata/isolated-linux.nftables
index 67ee0a2bf5..d1b4dac178 100644
--- a/tests/networkxml2firewalldata/isolated-linux.nftables
+++ b/tests/networkxml2firewalldata/isolated-linux.nftables
@@ -62,19 +62,3 @@ oif \
 virbr0 \
 counter \
 accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes=
ts/networkxml2firewalldata/nat-default-linux.nftables
index 951a5a6d60..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -142,19 +142,3 @@ daddr \
 224.0.0.0/24 \
 counter \
 return
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/=
networkxml2firewalldata/nat-ipv6-linux.nftables
index 617ed8b753..d8a9ba706d 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -200,19 +200,3 @@ oif \
 virbr0 \
 counter \
 accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl=
es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index a710d0e296..a7f09cda59 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -272,19 +272,3 @@ daddr \
 ff02::/16 \
 counter \
 return
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te=
sts/networkxml2firewalldata/nat-many-ips-linux.nftables
index 0be5fb7e65..b826fe6134 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -366,19 +366,3 @@ daddr \
 224.0.0.0/24 \
 counter \
 return
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftabl=
es b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
index 7574356855..ceaed6fa40 100644
--- a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
@@ -384,19 +384,3 @@ daddr \
 ff02::/16 \
 counter \
 return
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.nftables b/=
tests/networkxml2firewalldata/nat-port-range-linux.nftables
index 127536e4db..1dc37a26ec 100644
--- a/tests/networkxml2firewalldata/nat-port-range-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-port-range-linux.nftables
@@ -312,19 +312,3 @@ oif \
 virbr0 \
 counter \
 accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/=
networkxml2firewalldata/nat-tftp-linux.nftables
index 951a5a6d60..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -142,19 +142,3 @@ daddr \
 224.0.0.0/24 \
 counter \
 return
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t=
ests/networkxml2firewalldata/route-default-linux.nftables
index be9c4f5439..282c9542a5 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -56,19 +56,3 @@ oif \
 virbr0 \
 counter \
 accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-postroute_mangle \
-oif \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-udp \
-checksum \
-set \
-0
--=20
2.47.0