[v1] network: fix dhcp response packet checksums on virtual networks

[PATCH 0/5] network: fix dhcp response packet checksums on virtual networks

Laine Stump posted 5 patches 1 month ago

Diff against v2
Download series mbox

There is a newer version of this series

src/libvirt_private.syms                      |  1 +
src/lxc/lxc_driver.c                          |  2 +-
src/lxc/lxc_process.c                         |  2 +-
src/network/bridge_driver.c                   |  4 +-
src/network/network_nftables.c                | 69 +++++++++++++++++
src/qemu/qemu_command.c                       |  2 +-
src/qemu/qemu_driver.c                        |  3 +-
src/qemu/qemu_hotplug.c                       |  4 +-
src/util/virfirewall.c                        | 74 ++++++++++++-------
src/util/virfirewall.h                        |  1 +
src/util/virfirewalld.c                       |  1 +
src/util/virnetdevbandwidth.c                 | 70 ++++++++++++++++--
src/util/virnetdevbandwidth.h                 |  4 +
.../forward-dev-linux.nftables                | 40 ++++++++++
.../isolated-linux.nftables                   | 40 ++++++++++
.../nat-default-linux.nftables                | 40 ++++++++++
.../nat-ipv6-linux.nftables                   | 40 ++++++++++
.../nat-ipv6-masquerade-linux.nftables        | 40 ++++++++++
.../nat-many-ips-linux.nftables               | 40 ++++++++++
.../nat-no-dhcp-linux.nftables                | 40 ++++++++++
.../nat-port-range-ipv6-linux.nftables        | 40 ++++++++++
.../nat-port-range-linux.nftables             | 40 ++++++++++
.../nat-tftp-linux.nftables                   | 40 ++++++++++
.../route-default-linux.nftables              | 40 ++++++++++
tests/virnetdevbandwidthtest.c                |  5 +-
25 files changed, 639 insertions(+), 43 deletions(-)

Expand all Fold all

[PATCH 0/5] network: fix dhcp response packet checksums on virtual networks

Posted by Laine Stump 1 month ago

Patch 4/4 explains the problem and how these patches fix it. Assuming
no problems are found (none so far) this should go into 10.10.0, as it
solves a regression caused by switching the network driver to the
nftables backend.

There was a prior attempt at fixing this that was accepted, pushed,
bugs were discovered, and it was reverted (see Patch 4/4 for details). This will hopefully be the final attempt.

Please test with as many different guests as possible, both with
nftables backend and iptables backend, and using different guest
interface types, etc.

Laine Stump (5):
  util: make it optional to clear existing tc qdiscs/filters in
    virNetDevBandwidthSet()
  util: put the command that adds a tx filter qdisc into a separate
    function
  util: don't re-add the qdisc used for tx filters if it already exists
  util: add new "raw" layer for virFirewallCmd objects
  network: add tc filter rule to nftables backend to fix checksum of
    DHCP responses

 src/libvirt_private.syms                      |  1 +
 src/lxc/lxc_driver.c                          |  2 +-
 src/lxc/lxc_process.c                         |  2 +-
 src/network/bridge_driver.c                   |  4 +-
 src/network/network_nftables.c                | 69 +++++++++++++++++
 src/qemu/qemu_command.c                       |  2 +-
 src/qemu/qemu_driver.c                        |  3 +-
 src/qemu/qemu_hotplug.c                       |  4 +-
 src/util/virfirewall.c                        | 74 ++++++++++++-------
 src/util/virfirewall.h                        |  1 +
 src/util/virfirewalld.c                       |  1 +
 src/util/virnetdevbandwidth.c                 | 70 ++++++++++++++++--
 src/util/virnetdevbandwidth.h                 |  4 +
 .../forward-dev-linux.nftables                | 40 ++++++++++
 .../isolated-linux.nftables                   | 40 ++++++++++
 .../nat-default-linux.nftables                | 40 ++++++++++
 .../nat-ipv6-linux.nftables                   | 40 ++++++++++
 .../nat-ipv6-masquerade-linux.nftables        | 40 ++++++++++
 .../nat-many-ips-linux.nftables               | 40 ++++++++++
 .../nat-no-dhcp-linux.nftables                | 40 ++++++++++
 .../nat-port-range-ipv6-linux.nftables        | 40 ++++++++++
 .../nat-port-range-linux.nftables             | 40 ++++++++++
 .../nat-tftp-linux.nftables                   | 40 ++++++++++
 .../route-default-linux.nftables              | 40 ++++++++++
 tests/virnetdevbandwidthtest.c                |  5 +-
 25 files changed, 639 insertions(+), 43 deletions(-)

-- 
2.47.0

Re: [PATCH 0/5] network: fix dhcp response packet checksums on virtual networks

Posted by Michal Prívozník 1 month ago

On 11/22/24 22:16, Laine Stump wrote:
> Patch 4/4 explains the problem and how these patches fix it. Assuming
> no problems are found (none so far) this should go into 10.10.0, as it
> solves a regression caused by switching the network driver to the
> nftables backend.
> 
> There was a prior attempt at fixing this that was accepted, pushed,
> bugs were discovered, and it was reverted (see Patch 4/4 for details). This will hopefully be the final attempt.
> 
> Please test with as many different guests as possible, both with
> nftables backend and iptables backend, and using different guest
> interface types, etc.
> 
> Laine Stump (5):
>   util: make it optional to clear existing tc qdiscs/filters in
>     virNetDevBandwidthSet()
>   util: put the command that adds a tx filter qdisc into a separate
>     function
>   util: don't re-add the qdisc used for tx filters if it already exists
>   util: add new "raw" layer for virFirewallCmd objects
>   network: add tc filter rule to nftables backend to fix checksum of
>     DHCP responses
> 
>  src/libvirt_private.syms                      |  1 +
>  src/lxc/lxc_driver.c                          |  2 +-
>  src/lxc/lxc_process.c                         |  2 +-
>  src/network/bridge_driver.c                   |  4 +-
>  src/network/network_nftables.c                | 69 +++++++++++++++++
>  src/qemu/qemu_command.c                       |  2 +-
>  src/qemu/qemu_driver.c                        |  3 +-
>  src/qemu/qemu_hotplug.c                       |  4 +-
>  src/util/virfirewall.c                        | 74 ++++++++++++-------
>  src/util/virfirewall.h                        |  1 +
>  src/util/virfirewalld.c                       |  1 +
>  src/util/virnetdevbandwidth.c                 | 70 ++++++++++++++++--
>  src/util/virnetdevbandwidth.h                 |  4 +
>  .../forward-dev-linux.nftables                | 40 ++++++++++
>  .../isolated-linux.nftables                   | 40 ++++++++++
>  .../nat-default-linux.nftables                | 40 ++++++++++
>  .../nat-ipv6-linux.nftables                   | 40 ++++++++++
>  .../nat-ipv6-masquerade-linux.nftables        | 40 ++++++++++
>  .../nat-many-ips-linux.nftables               | 40 ++++++++++
>  .../nat-no-dhcp-linux.nftables                | 40 ++++++++++
>  .../nat-port-range-ipv6-linux.nftables        | 40 ++++++++++
>  .../nat-port-range-linux.nftables             | 40 ++++++++++
>  .../nat-tftp-linux.nftables                   | 40 ++++++++++
>  .../route-default-linux.nftables              | 40 ++++++++++
>  tests/virnetdevbandwidthtest.c                |  5 +-
>  25 files changed, 639 insertions(+), 43 deletions(-)
> 

I too tested this and it works.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal