-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove iptables rule for SCTP checksum fixup #47952
Comments
It's quite the coincidence that I ended up finding this ticket, because my Issue is that this specific rule basically prevents using the same sctp port for local (docker nw) and remote (->reachable via physical nw if) clients at the same time, the sctp conn for local clients basically times out after INIT/INIT_ACK This specifically breaks having both remote and local "sw only/zmq" enbs at the same time with the https://github.com/herlesupreeth/docker_open5gs setup. |
Having looked at this a bit more closely, I'm not confident about removing the rule ... The comment says "Linux kernel v4.9 and below enables NETIF_F_SCTP_CRC for veth by the following commit" ... the commit adds I think that means the Perhaps the issue is that the veth device doesn't actually add the checksum. In which case, if the packet ends up being transmitted via a NIC that doesn't add the checksum either, there's no checksum ... and this mangle rule is to fix it. If that's right, the mangle rule would be needed as a workaround for kernel 4.9 and above (rather than for kernels older than 4.9). Needs further investigation / testing ... |
Yes, the comment is misleading, it is actually for newer kernels that claim hw checksum support. See https://patchwork.ozlabs.org/project/netdev/patch/[email protected]/ for a slightly more recent discussion that kind of explains the issue. I am not certain that the rule is still required tho, 4.9 was a long time ago, and it was apparently very easy to hit that (missing) checksum issue... But I guess the safe fix here would be to at least adjust the rule to ensure it does not apply to internal traffic between containers - internal sctp traffic currently works fine for any other port, but ends up with a wrong checksum when hitting that rule. |
Just to clarify: NETIF_F_SCTP_CRC was introduced to veth in
which is present in 4.9-rc1 and newer (up to todays torvalds' master) |
What I find a bit confusing is that the CHECKSUM target (xt_CHECKSUM.c) calls skb_checksum_help, which is a function caring about the classic 1-complement checksum, while the NETIF_F_SCTP_CRC flag is about the CRC32 checksum of SCTP. So I don't really understand how using the iptables CHECKSUM target should ever have fixed something elated to the CRC32 of SCTP. |
Furthermore, since kernel v4.19, the xt_CHECKSUM.c explicitly states it should only be used for UDP and only in the OUTPUT chain - while docker is using it for SCTP in the PREROUTING chain:
|
Thank you @Hoernchen and @laf0rge, that's really helpful. We just discussed this on the moby n/w maintainers call (@corhere, @akerouanton) ... as the code doesn't really make sense to any of us, we'll disable it. Not expecting anything to break, but we'll include an environment-variable escape hatch / way to re-enable it for a release or-so. |
Description
@akerouanton noted in #47871 (comment) that this code for SCTP checksum fixup can now be removed ...
moby/libnetwork/drivers/bridge/port_mapping_linux.go
Lines 542 to 560 in 8c2e4ca
The text was updated successfully, but these errors were encountered: