[PATCH v2 0/6] network: fix dhcp response packet checksums on virtual networks

Laine Stump posted 6 patches 1 week, 3 days ago
src/libvirt_private.syms                      |   1 +
src/lxc/lxc_driver.c                          |   8 +-
src/lxc/lxc_process.c                         |   8 +-
src/network/bridge_driver.c                   |  10 +-
src/network/network_nftables.c                |  69 +++++++++++
src/qemu/qemu_command.c                       |  11 +-
src/qemu/qemu_driver.c                        |  29 ++---
src/qemu/qemu_hotplug.c                       |  22 +++-
src/util/virfirewall.c                        |  66 +++++++----
src/util/virfirewall.h                        |   1 +
src/util/virfirewalld.c                       |   1 +
src/util/virnetdevbandwidth.c                 | 110 ++++++++++++++----
src/util/virnetdevbandwidth.h                 |  15 ++-
.../forward-dev-linux.nftables                |  40 +++++++
.../isolated-linux.nftables                   |  40 +++++++
.../nat-default-linux.nftables                |  40 +++++++
.../nat-ipv6-linux.nftables                   |  40 +++++++
.../nat-ipv6-masquerade-linux.nftables        |  40 +++++++
.../nat-many-ips-linux.nftables               |  40 +++++++
.../nat-no-dhcp-linux.nftables                |  40 +++++++
.../nat-port-range-ipv6-linux.nftables        |  40 +++++++
.../nat-port-range-linux.nftables             |  40 +++++++
.../nat-tftp-linux.nftables                   |  40 +++++++
.../route-default-linux.nftables              |  40 +++++++
tests/virnetdevbandwidthtest.c                |  12 +-
25 files changed, 724 insertions(+), 79 deletions(-)
[PATCH v2 0/6] network: fix dhcp response packet checksums on virtual networks
Posted by Laine Stump 1 week, 3 days ago
Patch 6/6 explains the problem and how these patches fix it. Assuming
no problems are found (none so far) this should go into 10.10.0, as it
solves a regression caused by switching the network driver to the
nftables backend.

There was a prior attempt at fixing this that was accepted, pushed,
bugs were discovered, and it was reverted (see Patch 6/6 for
details). This will hopefully be the final attempt.

The differences from V1 are:

* use a single "flags" argument rather than 3 bools when calling
  virNetDevBandwidthSet() (Patch 1/5 turned into 1/6 & 2/6)

* be more lenient about what constitutes a "match" when looking at the
  output of "tc qdisc show" (Patch 3/5 turned into 4/6

* call the new virFirewall layer "tc" rather than "raw", making it
  specific to "tc" (Patch 4/5 turned into 5/6)

There may still be some disagreement about putting the tc commands in
the virFirewall, but I wanted to get this sent to save time in case my
argument was convincing :-)

Laine Stump (6):
  util: use a single flags arg for virNetDevBandwidthSet(), not multiple
    bools
  util: make it optional to clear existing tc qdiscs/filters in
    virNetDevBandwidthSet()
  util: put the command that adds a tx filter qdisc into a separate
    function
  util: don't re-add the qdisc used for tx filters if it already exists
  util: add new "tc" layer for virFirewallCmd objects
  network: add tc filter rule to nftables backend to fix checksum of
    DHCP responses

 src/libvirt_private.syms                      |   1 +
 src/lxc/lxc_driver.c                          |   8 +-
 src/lxc/lxc_process.c                         |   8 +-
 src/network/bridge_driver.c                   |  10 +-
 src/network/network_nftables.c                |  69 +++++++++++
 src/qemu/qemu_command.c                       |  11 +-
 src/qemu/qemu_driver.c                        |  29 ++---
 src/qemu/qemu_hotplug.c                       |  22 +++-
 src/util/virfirewall.c                        |  66 +++++++----
 src/util/virfirewall.h                        |   1 +
 src/util/virfirewalld.c                       |   1 +
 src/util/virnetdevbandwidth.c                 | 110 ++++++++++++++----
 src/util/virnetdevbandwidth.h                 |  15 ++-
 .../forward-dev-linux.nftables                |  40 +++++++
 .../isolated-linux.nftables                   |  40 +++++++
 .../nat-default-linux.nftables                |  40 +++++++
 .../nat-ipv6-linux.nftables                   |  40 +++++++
 .../nat-ipv6-masquerade-linux.nftables        |  40 +++++++
 .../nat-many-ips-linux.nftables               |  40 +++++++
 .../nat-no-dhcp-linux.nftables                |  40 +++++++
 .../nat-port-range-ipv6-linux.nftables        |  40 +++++++
 .../nat-port-range-linux.nftables             |  40 +++++++
 .../nat-tftp-linux.nftables                   |  40 +++++++
 .../route-default-linux.nftables              |  40 +++++++
 tests/virnetdevbandwidthtest.c                |  12 +-
 25 files changed, 724 insertions(+), 79 deletions(-)

-- 
2.47.0
Re: [PATCH v2 0/6] network: fix dhcp response packet checksums on virtual networks
Posted by Michal Prívozník 1 week, 3 days ago
On 11/26/24 04:24, Laine Stump wrote:
> Patch 6/6 explains the problem and how these patches fix it. Assuming
> no problems are found (none so far) this should go into 10.10.0, as it
> solves a regression caused by switching the network driver to the
> nftables backend.
> 
> There was a prior attempt at fixing this that was accepted, pushed,
> bugs were discovered, and it was reverted (see Patch 6/6 for
> details). This will hopefully be the final attempt.
> 
> The differences from V1 are:
> 
> * use a single "flags" argument rather than 3 bools when calling
>   virNetDevBandwidthSet() (Patch 1/5 turned into 1/6 & 2/6)
> 
> * be more lenient about what constitutes a "match" when looking at the
>   output of "tc qdisc show" (Patch 3/5 turned into 4/6
> 
> * call the new virFirewall layer "tc" rather than "raw", making it
>   specific to "tc" (Patch 4/5 turned into 5/6)
> 
> There may still be some disagreement about putting the tc commands in
> the virFirewall, but I wanted to get this sent to save time in case my
> argument was convincing :-)
> 
> Laine Stump (6):
>   util: use a single flags arg for virNetDevBandwidthSet(), not multiple
>     bools
>   util: make it optional to clear existing tc qdiscs/filters in
>     virNetDevBandwidthSet()
>   util: put the command that adds a tx filter qdisc into a separate
>     function
>   util: don't re-add the qdisc used for tx filters if it already exists
>   util: add new "tc" layer for virFirewallCmd objects
>   network: add tc filter rule to nftables backend to fix checksum of
>     DHCP responses
> 
>  src/libvirt_private.syms                      |   1 +
>  src/lxc/lxc_driver.c                          |   8 +-
>  src/lxc/lxc_process.c                         |   8 +-
>  src/network/bridge_driver.c                   |  10 +-
>  src/network/network_nftables.c                |  69 +++++++++++
>  src/qemu/qemu_command.c                       |  11 +-
>  src/qemu/qemu_driver.c                        |  29 ++---
>  src/qemu/qemu_hotplug.c                       |  22 +++-
>  src/util/virfirewall.c                        |  66 +++++++----
>  src/util/virfirewall.h                        |   1 +
>  src/util/virfirewalld.c                       |   1 +
>  src/util/virnetdevbandwidth.c                 | 110 ++++++++++++++----
>  src/util/virnetdevbandwidth.h                 |  15 ++-
>  .../forward-dev-linux.nftables                |  40 +++++++
>  .../isolated-linux.nftables                   |  40 +++++++
>  .../nat-default-linux.nftables                |  40 +++++++
>  .../nat-ipv6-linux.nftables                   |  40 +++++++
>  .../nat-ipv6-masquerade-linux.nftables        |  40 +++++++
>  .../nat-many-ips-linux.nftables               |  40 +++++++
>  .../nat-no-dhcp-linux.nftables                |  40 +++++++
>  .../nat-port-range-ipv6-linux.nftables        |  40 +++++++
>  .../nat-port-range-linux.nftables             |  40 +++++++
>  .../nat-tftp-linux.nftables                   |  40 +++++++
>  .../route-default-linux.nftables              |  40 +++++++
>  tests/virnetdevbandwidthtest.c                |  12 +-
>  25 files changed, 724 insertions(+), 79 deletions(-)
> 

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal
Re: [PATCH v2 0/6] network: fix dhcp response packet checksums on virtual networks
Posted by Michal Prívozník 1 week, 3 days ago
On 11/26/24 13:17, Michal Prívozník wrote:
> On 11/26/24 04:24, Laine Stump wrote:
>> Patch 6/6 explains the problem and how these patches fix it. Assuming
>> no problems are found (none so far) this should go into 10.10.0, as it
>> solves a regression caused by switching the network driver to the
>> nftables backend.
>>
>> There was a prior attempt at fixing this that was accepted, pushed,
>> bugs were discovered, and it was reverted (see Patch 6/6 for
>> details). This will hopefully be the final attempt.
>>
>> The differences from V1 are:
>>
>> * use a single "flags" argument rather than 3 bools when calling
>>   virNetDevBandwidthSet() (Patch 1/5 turned into 1/6 & 2/6)
>>
>> * be more lenient about what constitutes a "match" when looking at the
>>   output of "tc qdisc show" (Patch 3/5 turned into 4/6
>>
>> * call the new virFirewall layer "tc" rather than "raw", making it
>>   specific to "tc" (Patch 4/5 turned into 5/6)
>>
>> There may still be some disagreement about putting the tc commands in
>> the virFirewall, but I wanted to get this sent to save time in case my
>> argument was convincing :-)
>>
>> Laine Stump (6):
>>   util: use a single flags arg for virNetDevBandwidthSet(), not multiple
>>     bools
>>   util: make it optional to clear existing tc qdiscs/filters in
>>     virNetDevBandwidthSet()
>>   util: put the command that adds a tx filter qdisc into a separate
>>     function
>>   util: don't re-add the qdisc used for tx filters if it already exists
>>   util: add new "tc" layer for virFirewallCmd objects
>>   network: add tc filter rule to nftables backend to fix checksum of
>>     DHCP responses
>>
>>  src/libvirt_private.syms                      |   1 +
>>  src/lxc/lxc_driver.c                          |   8 +-
>>  src/lxc/lxc_process.c                         |   8 +-
>>  src/network/bridge_driver.c                   |  10 +-
>>  src/network/network_nftables.c                |  69 +++++++++++
>>  src/qemu/qemu_command.c                       |  11 +-
>>  src/qemu/qemu_driver.c                        |  29 ++---
>>  src/qemu/qemu_hotplug.c                       |  22 +++-
>>  src/util/virfirewall.c                        |  66 +++++++----
>>  src/util/virfirewall.h                        |   1 +
>>  src/util/virfirewalld.c                       |   1 +
>>  src/util/virnetdevbandwidth.c                 | 110 ++++++++++++++----
>>  src/util/virnetdevbandwidth.h                 |  15 ++-
>>  .../forward-dev-linux.nftables                |  40 +++++++
>>  .../isolated-linux.nftables                   |  40 +++++++
>>  .../nat-default-linux.nftables                |  40 +++++++
>>  .../nat-ipv6-linux.nftables                   |  40 +++++++
>>  .../nat-ipv6-masquerade-linux.nftables        |  40 +++++++
>>  .../nat-many-ips-linux.nftables               |  40 +++++++
>>  .../nat-no-dhcp-linux.nftables                |  40 +++++++
>>  .../nat-port-range-ipv6-linux.nftables        |  40 +++++++
>>  .../nat-port-range-linux.nftables             |  40 +++++++
>>  .../nat-tftp-linux.nftables                   |  40 +++++++
>>  .../route-default-linux.nftables              |  40 +++++++
>>  tests/virnetdevbandwidthtest.c                |  12 +-
>>  25 files changed, 724 insertions(+), 79 deletions(-)
>>
> 
> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
> 
> Michal

Actually, I went ahead and merged these per Jirka's (almost in person)
request as he wants to enter the freeze soon.

Michal
Re: [PATCH v2 0/6] network: fix dhcp response packet checksums on virtual networks
Posted by Laine Stump 1 week, 3 days ago
On 11/26/24 8:39 AM, Michal Prívozník wrote:
> On 11/26/24 13:17, Michal Prívozník wrote:
>> On 11/26/24 04:24, Laine Stump wrote:
>>> Patch 6/6 explains the problem and how these patches fix it. Assuming
>>> no problems are found (none so far) this should go into 10.10.0, as it
>>> solves a regression caused by switching the network driver to the
>>> nftables backend.
>>>
>>> There was a prior attempt at fixing this that was accepted, pushed,
>>> bugs were discovered, and it was reverted (see Patch 6/6 for
>>> details). This will hopefully be the final attempt.
>>>
>>> The differences from V1 are:
>>>
>>> * use a single "flags" argument rather than 3 bools when calling
>>>    virNetDevBandwidthSet() (Patch 1/5 turned into 1/6 & 2/6)
>>>
>>> * be more lenient about what constitutes a "match" when looking at the
>>>    output of "tc qdisc show" (Patch 3/5 turned into 4/6
>>>
>>> * call the new virFirewall layer "tc" rather than "raw", making it
>>>    specific to "tc" (Patch 4/5 turned into 5/6)
>>>
>>> There may still be some disagreement about putting the tc commands in
>>> the virFirewall, but I wanted to get this sent to save time in case my
>>> argument was convincing :-)
>>>
>>> Laine Stump (6):
>>>    util: use a single flags arg for virNetDevBandwidthSet(), not multiple
>>>      bools
>>>    util: make it optional to clear existing tc qdiscs/filters in
>>>      virNetDevBandwidthSet()
>>>    util: put the command that adds a tx filter qdisc into a separate
>>>      function
>>>    util: don't re-add the qdisc used for tx filters if it already exists
>>>    util: add new "tc" layer for virFirewallCmd objects
>>>    network: add tc filter rule to nftables backend to fix checksum of
>>>      DHCP responses
>>>
>>>   src/libvirt_private.syms                      |   1 +
>>>   src/lxc/lxc_driver.c                          |   8 +-
>>>   src/lxc/lxc_process.c                         |   8 +-
>>>   src/network/bridge_driver.c                   |  10 +-
>>>   src/network/network_nftables.c                |  69 +++++++++++
>>>   src/qemu/qemu_command.c                       |  11 +-
>>>   src/qemu/qemu_driver.c                        |  29 ++---
>>>   src/qemu/qemu_hotplug.c                       |  22 +++-
>>>   src/util/virfirewall.c                        |  66 +++++++----
>>>   src/util/virfirewall.h                        |   1 +
>>>   src/util/virfirewalld.c                       |   1 +
>>>   src/util/virnetdevbandwidth.c                 | 110 ++++++++++++++----
>>>   src/util/virnetdevbandwidth.h                 |  15 ++-
>>>   .../forward-dev-linux.nftables                |  40 +++++++
>>>   .../isolated-linux.nftables                   |  40 +++++++
>>>   .../nat-default-linux.nftables                |  40 +++++++
>>>   .../nat-ipv6-linux.nftables                   |  40 +++++++
>>>   .../nat-ipv6-masquerade-linux.nftables        |  40 +++++++
>>>   .../nat-many-ips-linux.nftables               |  40 +++++++
>>>   .../nat-no-dhcp-linux.nftables                |  40 +++++++
>>>   .../nat-port-range-ipv6-linux.nftables        |  40 +++++++
>>>   .../nat-port-range-linux.nftables             |  40 +++++++
>>>   .../nat-tftp-linux.nftables                   |  40 +++++++
>>>   .../route-default-linux.nftables              |  40 +++++++
>>>   tests/virnetdevbandwidthtest.c                |  12 +-
>>>   25 files changed, 724 insertions(+), 79 deletions(-)
>>>
>>
>> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
>>
>> Michal
> 
> Actually, I went ahead and merged these per Jirka's (almost in person)
> request as he wants to enter the freeze soon.

Okay, thanks!