From: Florian Westphal <fw@strlen.de>
To: "Greenberg, Paul" <greenbergp@HSS.EDU>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: nftables destination ip rewrite - checksum recalculation
Date: Mon, 31 Aug 2020 15:21:39 +0200 [thread overview]
Message-ID: <20200831132139.GI7319@breakpoint.cc> (raw)
In-Reply-To: <CY4PR20MB1159B43B8849944AC51011D2D1510@CY4PR20MB1159.namprd20.prod.outlook.com>
Greenberg, Paul <greenbergp@HSS.EDU> wrote:
> Hi All,
>
> I am running into the following issue while working on a port-mapping CNI plugin compatible with nftables.
>
> My target OS is CentOS: 3.10.0-1127.19.1.el7.x86_64 with nftables v0.8 (Joe Btfsplk)
>
> How do I force the recalculation of checksum on a packet where I modify destination IP address?
> table ip raw {
> chain prerouting {
> type filter hook prerouting priority -300; policy accept;
> iifname != "cni-podman0" tcp dport http ip daddr set 10.88.0.114 tcp dport set http return
> }
> }
> After rewriting the destination address, packets arrive to a container with checksum error below.
>
> 01:05:16.704789 ee:58:3f:4d:1f:23 > ea:56:b4:c6:4f:c7, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 63, id 8844, offset 0, flags [none], proto TCP (6), length 44)
> 10.0.2.2.54017 > 10.88.0.116.80: Flags [S], cksum 0xd776 (incorrect -> 0xd8b9), seq 2337032705, win 65535, options [mss 1460], length 0
>
> The incorrect checksum causes the failure to make tcp handshake. That is SYN packets arrive, but container disregards and does not send SYN/ACK back because of the incorrect checksum.
>
> The destination IP rewrite has NFT_PAYLOAD_L4CSUM_PSEUDOHDR flags.
NFT_PAYLOAD_L4CSUM_PSEUDOHDR was added in Linux 4.10 and is not available in Centos7.
next prev parent reply other threads:[~2020-08-31 13:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-31 12:51 nftables destination ip rewrite - checksum recalculation Greenberg, Paul
2020-08-31 13:21 ` Florian Westphal [this message]
2020-08-31 13:46 ` Greenberg, Paul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200831132139.GI7319@breakpoint.cc \
--to=fw@strlen.de \
--cc=greenbergp@HSS.EDU \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox