DHCP checksum fixing rule is too broad: in POSTROUTING chain, not OUTPUT
Bug #1629309 reported by
Nell Jerram
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-calico |
In Progress
|
Undecided
|
Sam Yaple |
Bug Description
Moved here from https:/
matthewdupre commented on 1 Jul 2015
This is a split from issue https:/
We currently use a rule that looks like iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill, but this is too broad.
We should make the rule more specific - @nbartos suggests iptables -t mangle -A OUTPUT -o tap+ -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill.
The most important thing is moving from the POSTROUTING to OUTPUT chain, so we don't run the rule over forwarded packets. This will need to be upstreamed.
Changed in networking-calico: | |
assignee: | Logan V (loganv) → Sam Yaple (s8m) |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/383462
Review: https:/