[rhos-list] iptables checksum fix for DHCP with quantum/neutron (grizzly)

[Michael Luksch]

Hello,

there is/was this infamous bug in <tbd> that DHCP reply packets have an incorrect checksum when sent from the KVM hypervisor host to a VM using the virtio network adapter type. As a result the DHCP client drops the response, and never sets the offered IP address.

As a general "fix" for this an iptables mangle rule is used which sets a "correct" checksum by using the CHECKSUM target.
As an example how common this fix is, just have a look on an default rhel/centos install of KVM. As you create a network with the virsh/virt-manager tools a rule like the following will be added:

iptables -t mangle -A POSTROUTING -o <device used> -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

It had been reported to and implemented in openstack as well. (+1 year ago) see [1]
The fix is in nova/network/linux_net.py [2]

But in my install this rule is never created, and as such my VMs (cirros/other busybox-udhcpc based ones) failed in acquiring IPs via DHCP.

I wonder if the code in nova/network/linux_net.py is ever called when using quantum/neutron.
If not I guess a bug has to be created / re-opened.
Or is the problem as a whole seen as fixed by using either other virtual NICs (performance?) or other DHCP-clients?

If last sentence is true, what would be the "best" place to have my individual iptables-rules applied dynamically in the right namespace?

I am using quantum with openvswitch-plugin and provider-network mapped VLANs in a multi-host environment.
My dnsmasq instances are running in a separate namespace.
ATM im not using any l3-agent at all.
I had to add the iptables checksum rule by hand inside the dnsmasq namespace.


I am using:

CentOS 6.4
Grizzly ( 2013.1.2 )
Kernel 2.6.32-358.6.2.openstack.el6.x86_64
Dnsmasq 2.65

[1] https://bugzilla.redhat.com/show_bug.cgi?id=910619#c6
[2] https://github.com/openstack/nova/blob/master/nova/network/linux_net.py#L902

Thanks.

Michael Luksch