Re: Problem on SCTP

[Davide Caratti <dcaratti@redhat.com>]

On Tue, 2017-02-21 at 12:26 +0800, Sun Paul wrote:
> Hi,
> 
> sorry to get back late, the platform is running on KVM. and this
> problem is resolved by moving to VMware environment, however,  a new
> problem is coming out, we noticed that the HB REQ is being ABORT from
> client.

hello Sun,

I'm working on some issues with SCTP checksums: sometimes the kernel does
not compute CRC32c on forwarded SCTP packets (see
http://www.spinics.net/lists/linux-sctp/msg05666.html); but apparently this
is a scenario where the opposite occurs (i.e. the kernel computes CRC32c
even if when it is not necessary _ see below):

> On Fri, Jan 13, 2017 at 9:19 PM, Michael Tuexen
> <Michael.Tuexen@lurchi.franken.de> wrote:
> > 
> > > 
> > > On 13 Jan 2017, at 10:43, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote:
> > > 
> > > Your router does NOT change any field in the SCTP packet, but the
> > > SCTP checksum was modified from
> > >   Checksum: 0xbaea49e5 (not verified)
> > > to
> > >   Checksum: 0xa9a86d3f (not verified)
> > > At least one of these is wrong.

what Michael says is correct: in case SCTP NAT did not translate port
numbers, the packet CRC32c should not be recomputed, because SCTP checksum
has no pseudo-header. The (RFC) patch below modifies netfilter SCTP NAT to
avoid useless calls to sctp_compute_csum() when source / destination port
is not changed (*).
------ 8< ------------
--- a/net/netfilter/nf_nat_proto_sctp.c
+++ b/net/netfilter/nf_nat_proto_sctp.c
@@ -33,6 +33,7 @@
 	       enum nf_nat_manip_type maniptype)
 {
 	sctp_sctphdr_t *hdr;
+	__be16 port_xlate = 0;
 
 	if (!skb_make_writable(skb, hdroff + sizeof(*hdr)))
 		return false;
@@ -41,14 +42,17 @@
 
 	if (maniptype = NF_NAT_MANIP_SRC) {
 		/* Get rid of src port */
+		port_xlate |= hdr->source ^ tuple->src.u.sctp.port;
 		hdr->source = tuple->src.u.sctp.port;
 	} else {
 		/* Get rid of dst port */
+		port_xlate |= hdr->dest ^ tuple->dst.u.sctp.port;
 		hdr->dest = tuple->dst.u.sctp.port;
 	}
 
 	if (skb->ip_summed != CHECKSUM_PARTIAL) {
-		hdr->checksum = sctp_compute_cksum(skb, hdroff);
+		if (port_xlate)
+			hdr->checksum = sctp_compute_cksum(skb, hdroff);
 		skb->ip_summed = CHECKSUM_NONE;
 	}

------ >8 ------------
Please let me know if it can be useful in your setup.
Thank you in advance,
regards,
--
davide


Notes:
(*) how I tested this: on a two-namespace test setup, a
ncat server is running on namespace nat_test_b and listening for SCTP on 
eth1 (192.168.111.18:2000). On namespace nat_test_a, ncat client binds to
dummy0 (10.0.0.13) and connects to server through eth0 (192.168.111.17),
where a SNAT rule is configured; eth0 and eth1 are connected through a
switch. The following command is done on the client:

# perf probe -m nf_nat --add sctp_csum_update
# perf probe -m nf_nat --add sctp_csum_combine
# ip netns exec nat_test_a \
  perf record -e '{probe:sctp_csum_combine,probe:sctp_csum_update}' -R -- \
  ncat --sctp -c uname -s 10.0.0.13 -w1 192.168.111.18 2000

9 packets are received by the server:

IP 192.168.111.17.33022 > 192.168.111.18.2000: sctp (1) [INIT]
IP 192.168.111.18.2000 > 192.168.111.17.33022: sctp (1) [INIT ACK]
IP 192.168.111.17.33022 > 192.168.111.18.2000: sctp (1) [COOKIE ECHO] 
IP 192.168.111.18.2000 > 192.168.111.17.33022: sctp (1) [COOKIE ACK] 
IP 192.168.111.17.33022 > 192.168.111.18.2000: sctp (1) [DATA]
IP 192.168.111.18.2000 > 192.168.111.17.33022: sctp (1) [SACK]
IP 192.168.111.17.33022 > 192.168.111.18.2000: sctp (1) [SHUTDOWN] 
IP 192.168.111.18.2000 > 192.168.111.17.33022: sctp (1) [SHUTDOWN ACK] 
IP 192.168.111.17.33022 > 192.168.111.18.2000: sctp (1) [SHUTDOWN COMPLETE] 

Before applying the patch:

# perf script | wc -l
9

After applying the patch:

# perf script | wc -l
0