iptables checksum-fill causing kernel warning error stack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Last 24 hours i am chasing following error in my "dmesg" logs. I am using QUEENS 17.0.7
[ 633.129619] ------------[ cut here ]------------
[ 633.129624] bond0.28: caps=(0x0000000
[ 633.129651] WARNING: CPU: 6 PID: 9489 at net/core/dev.c:2662 skb_warn_
[ 633.129652] Modules linked in: tcp_diag udp_diag inet_diag unix_diag ebtable_filter ebtable_nat iptable_raw veth bonding ip6table_mangle xt_CHECKSUM rpcrdma sunrpc ib_isert iscsi_target_mod ib_iser ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm sb_edac x86_pkg_
[ 633.129704] ttm drm hpsa scsi_transport_sas be2net dm_mirror dm_region_hash dm_log vhost_net tun tap vhost iscsi_tcp libiscsi_tcp libiscsi scsi_transport_
[ 633.129736] CPU: 6 PID: 9489 Comm: httpd Tainted: G W 4.17.12-
[ 633.129738] Hardware name: HP ProLiant BL460c Gen8, BIOS I31 06/01/2015
[ 633.129741] RIP: 0010:skb_
[ 633.129742] RSP: 0018:ffff88042f
You know what i found these error directly related to iptables checksum-fill rules.
[root@ostack-
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM --checksum-fill
-A POSTROUTING -p tcp -m tcp --sport 8000 -j CHECKSUM --checksum-fill
-A POSTROUTING -s 10.0.3.0/24 -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
Can someone explain me what CHECKSUM doing in ports 80/8000? I think this rule make no sense to me, i am curious to know why it is there? doing checksum on tcp port 80 will just hurt performing and won't gain anything.
-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM --checksum-fill
-A POSTROUTING -p tcp -m tcp --sport 8000 -j CHECKSUM --checksum-fill
I can understand we need DHCP checksum rule because virtual nic doesn't perform checksum so we have to do checksum-fill.
Changed in openstack-ansible: | |
status: | Fix Committed → Fix Released |
neutron meta-data services required this fix for some time however that can be disabled with the option `neutron_ metadata_ checksum_ fix` set to false [ https:/ /github. com/openstack/ openstack- ansible- os_neutron/ blob/stable/ queens/ defaults/ main.yml# L351-L356 ].
If you're seeing this on your systems then we either had an issue with the conditions surrounding that option or the nodes started life as an AIO resulting in the iptables rules being created. The script that runs these commands can be found here [ https:/ /github. com/openstack/ openstack- ansible- os_neutron/ blob/stable/ queens/ files/post- up-metadata- checksum ].