From: Florian Westphal <fw@strlen.de>
To: "Greenberg, Paul" <greenbergp@HSS.EDU>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: nftables destination ip rewrite - checksum recalculation
Date: Mon, 31 Aug 2020 15:21:39 +0200 [thread overview]
Message-ID: <20200831132139.GI7319@breakpoint.cc> (raw)
In-Reply-To: <CY4PR20MB1159B43B8849944AC51011D2D1510@CY4PR20MB1159.namprd20.prod.outlook.com>
Greenberg, Paul <greenbergp@HSS.EDU> wrote:
> Hi All,
>
> I am running into the following issue while working on a port-mapping CNI plugin compatible with nftables.
>
> My target OS is CentOS: 3.10.0-1127.19.1.el7.x86_64 with nftables v0.8 (Joe Btfsplk)
>
> How do I force the recalculation of checksum on a packet where I modify destination IP address?
> table ip raw {
> chain prerouting {
> type filter hook prerouting priority -300; policy accept;
> iifname != "cni-podman0" tcp dport http ip daddr set 10.88.0.114 tcp dport set http return
> }
> }
> After rewriting the destination address, packets arrive to a container with checksum error below.
>
> 01:05:16.704789 ee:58:3f:4d:1f:23 > ea:56:b4:c6:4f:c7, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 63, id 8844, offset 0, flags [none], proto TCP (6), length 44)
> 10.0.2.2.54017 > 10.88.0.116.80: Flags [S], cksum 0xd776 (incorrect -> 0xd8b9), seq 2337032705, win 65535, options [mss 1460], length 0
>
> The incorrect checksum causes the failure to make tcp handshake. That is SYN packets arrive, but container disregards and does not send SYN/ACK back because of the incorrect checksum.
>
> The destination IP rewrite has NFT_PAYLOAD_L4CSUM_PSEUDOHDR flags.
NFT_PAYLOAD_L4CSUM_PSEUDOHDR was added in Linux 4.10 and is not available in Centos7.
next prev parent reply other threads:[~2020-08-31 13:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-31 12:51 nftables destination ip rewrite - checksum recalculation Greenberg, Paul
2020-08-31 13:21 ` Florian Westphal [this message]
2020-08-31 13:46 ` Greenberg, Paul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200831132139.GI7319@breakpoint.cc \
--to=fw@strlen.de \
--cc=greenbergp@HSS.EDU \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.