lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 5 Aug 2018 16:53:30 -0400
From:   Satish Patel <satish.txt@...il.com>
To:     Florian Westphal <fw@...len.de>
Cc:     netdev@...r.kernel.org
Subject: Re: Linux kernel error stack

After reading further related DHCP checksum issue, it seems we need
that rules when you running DHCP on same host machine where your guest
using host DHCP service, in that case virtual nic won't do checksum.
If your DHCP running on different host then your physical nic perform
checksum.

On Sun, Aug 5, 2018 at 4:39 PM, Satish Patel <satish.txt@...il.com> wrote:
> Florian,
>
> I have removed those port 80 CHECKSUM rules and everything looks good
> i didn't see kernel WARN mesg.
>
> Thank you so much! You just nailed it :)
>
> On Sun, Aug 5, 2018 at 4:15 PM, Satish Patel <satish.txt@...il.com> wrote:
>> Florian,
>>
>> It seems those rules coming from here
>> https://github.com/openstack/openstack-ansible-os_neutron/blob/master/files/post-up-metadata-checksum
>>
>> On Sun, Aug 5, 2018 at 4:09 PM, Satish Patel <satish.txt@...il.com> wrote:
>>> Yes this is openstack-ansible deployment tool which set them up. I am
>>> wondering where are these rules saved? I believe openstack-ansible use
>>> LXC container to deploy services so must be part of LXC startup
>>> scripts.
>>>
>>> I have checked there is no firewalld and iptables service running on system..
>>>
>>> You think i should get rid of all CHEKSUM option in iptables rules? Am i right?
>>>
>>>
>>> On Sun, Aug 5, 2018 at 4:02 PM, Florian Westphal <fw@...len.de> wrote:
>>>> Satish Patel <satish.txt@...il.com> wrote:
>>>>> > [84166:59495417] -A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
>>>>> > --checksum-fill
>>>>> > [68739:5153476] -A POSTROUTING -p tcp -m tcp --sport 8000 -j CHECKSUM
>>>>> > --checksum-fill
>>>>
>>>> These rules make no sense to me, and are also source of your backtrace.
>>>> Who set this up?
>>>>
>>>> If this is coming from openstack, I suggest asking openstack developers
>>>> WTH this is supposed to do.
>>>>
>>>>> > [755:275452] -A POSTROUTING -s 10.0.3.0/24 -o lxcbr0 -p udp -m udp
>>>>> > --dport 68 -j CHECKSUM --checksum-fill
>>>>
>>>> This was needed to work around dhcpd issues w. checksum offloading but I
>>>> guess that DCHCP will work fine without this rule too nowadays.
>>>>
>>>> So I suggest you simply get rid of these rules.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ