DHCP checksum fixing rule is too broad: in POSTROUTING chain, not OUTPUT

Bug #1629309 reported by Neil Jerram on 2016-09-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sam Yaple

Bug Description

Moved here from https://github.com/projectcalico/felix/issues/709:

matthewdupre commented on 1 Jul 2015

This is a split from issue https://github.com/projectcalico/felix/issues/40.

We currently use a rule that looks like iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill, but this is too broad.

We should make the rule more specific - @nbartos suggests iptables -t mangle -A OUTPUT -o tap+ -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill.

The most important thing is moving from the POSTROUTING to OUTPUT chain, so we don't run the rule over forwarded packets. This will need to be upstreamed.

Fix proposed to branch: master
Review: https://review.openstack.org/383462

Changed in networking-calico:
assignee: nobody → Logan V (logan2211)
status: New → In Progress
Changed in networking-calico:
assignee: Logan V (loganv) → Sam Yaple (s8m)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers