DHCP Agent's iptables CHECKSUM rule causes skb_warn_bad_offload kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
We are hitting this kernel issue due to a DHCP agent CHECKSUM rule that is probably obsolete/not needed: https:/
Upgrading the kernel is one workaround, but more disruptive, especially since still using CentOS7, and kernel fix only made it into 4.19. We should just remove this rule altogether. As per the kernel issue:
"The changes are limited only to users which have CHECKSUM rules enabled in their iptables configs. Openstack commonly configures such rules on deployment, even though they are not necessary, as almost all packets have their checksum calculated by NICs these days, and CHECKSUM is only around to service old dhcp clients which would discard UDP packets with empty checksums.
This commit was selected for upstream -stable 4.18.13, and has made its way into bionic 4.15.0-58.64 by LP #1836426. There have been no reported problems and those kernels would have had sufficient testing with Openstack and its configured iptables rules.
If any users are affected by regression, then they can simply delete any CHECKSUM entries in their iptables configs."
I can see the metadata agent's CHECKSUM rule was alreayd removed last year: https:/
Is there any reason the DHCP agent's was not? Is it safe to just remove this function and where it is invoked from altogether?
https:/
https:/
"as almost all packets have their checksum calculated by NICs these days, and CHECKSUM is only around to service old dhcp clients which would discard UDP packets with empty checksums."
if we are worried about legacy VMs and NICs, perhaps we can add a config option for this?