← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1878719] [NEW] DHCP Agent's iptables CHECKSUM rule causes skb_warn_bad_offload kernel

 

Public bug reported:

We are hitting this kernel issue due to a DHCP agent CHECKSUM rule that
is probably obsolete/not needed:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1840619

Upgrading the kernel is one workaround, but more disruptive, especially
since still using CentOS7, and kernel fix only made it into 4.19. We
should just remove this rule altogether. As per the kernel issue:

"The changes are limited only to users which have CHECKSUM rules enabled
in their iptables configs. Openstack commonly configures such rules on
deployment, even though they are not necessary, as almost all packets
have their checksum calculated by NICs these days, and CHECKSUM is only
around to service old dhcp clients which would discard UDP packets with
empty checksums.

This commit was selected for upstream -stable 4.18.13, and has made its
way into bionic 4.15.0-58.64 by LP #1836426. There have been no reported
problems and those kernels would have had sufficient testing with
Openstack and its configured iptables rules.

If any users are affected by regression, then they can simply delete any
CHECKSUM entries in their iptables configs."


I can see the metadata agent's CHECKSUM rule was alreayd removed last year: https://github.com/openstack/neutron/commit/04e995be9898ceaa009344509dc16ca7f589d814

Is there any reason the DHCP agent's was not? Is it safe to just remove
this function and where it is invoked from altogether?

https://github.com/openstack/neutron/blob/master/neutron/agent/linux/dhcp.py#L1739
https://github.com/openstack/neutron/blob/cb55643a0695ebc5b41f50f6edb1546bcc676b71/neutron/agent/linux/dhcp.py#L1691

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1878719

Title:
  DHCP Agent's iptables CHECKSUM rule causes  skb_warn_bad_offload
  kernel

Status in neutron:
  New

Bug description:
  We are hitting this kernel issue due to a DHCP agent CHECKSUM rule
  that is probably obsolete/not needed:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1840619

  Upgrading the kernel is one workaround, but more disruptive,
  especially since still using CentOS7, and kernel fix only made it into
  4.19. We should just remove this rule altogether. As per the kernel
  issue:

  "The changes are limited only to users which have CHECKSUM rules
  enabled in their iptables configs. Openstack commonly configures such
  rules on deployment, even though they are not necessary, as almost all
  packets have their checksum calculated by NICs these days, and
  CHECKSUM is only around to service old dhcp clients which would
  discard UDP packets with empty checksums.

  This commit was selected for upstream -stable 4.18.13, and has made
  its way into bionic 4.15.0-58.64 by LP #1836426. There have been no
  reported problems and those kernels would have had sufficient testing
  with Openstack and its configured iptables rules.

  If any users are affected by regression, then they can simply delete
  any CHECKSUM entries in their iptables configs."

  
  I can see the metadata agent's CHECKSUM rule was alreayd removed last year: https://github.com/openstack/neutron/commit/04e995be9898ceaa009344509dc16ca7f589d814

  Is there any reason the DHCP agent's was not? Is it safe to just
  remove this function and where it is invoked from altogether?

  https://github.com/openstack/neutron/blob/master/neutron/agent/linux/dhcp.py#L1739
  https://github.com/openstack/neutron/blob/cb55643a0695ebc5b41f50f6edb1546bcc676b71/neutron/agent/linux/dhcp.py#L1691

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1878719/+subscriptions


Follow ups