Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933760AbbLVUQQ (ORCPT ); Tue, 22 Dec 2015 15:16:16 -0500 Received: from shards.monkeyblade.net ([149.20.54.216]:54820 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752970AbbLVUQO (ORCPT ); Tue, 22 Dec 2015 15:16:14 -0500 Date: Tue, 22 Dec 2015 15:16:12 -0500 (EST) Message-Id: <20151222.151612.206719325623084440.davem@davemloft.net> To: vijayp@vijayp.ca Cc: xiyou.wangcong@gmail.com, ej@evanjones.ca, nicolas.dichtel@6wind.com, phil@nwl.cc, makita.toshiaki@lab.ntt.co.jp, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] veth: =?iso-8859-7?B?ZG9uonQ=?= modify ip_summed; doing so treats packets with bad checksums as good. From: David Miller In-Reply-To: <1450467299-7188-1-git-send-email-vijayp@vijayp.ca> References: <1450467299-7188-1-git-send-email-vijayp@vijayp.ca> X-Mailer: Mew version 6.6 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-7 X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 22 Dec 2015 12:16:14 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id tBMKGKDl012672 Content-Length: 2484 Lines: 44 From: Vijay Pandurangan Date: Fri, 18 Dec 2015 14:34:59 -0500 > Packets that arrive from real hardware devices have ip_summed == > CHECKSUM_UNNECESSARY if the hardware verified the checksums, or > CHECKSUM_NONE if the packet is bad or it was unable to verify it. The > current version of veth will replace CHECKSUM_NONE with > CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to > a veth device to be delivered to the application. This caused applications > at Twitter to receive corrupt data when network hardware was corrupting > packets. > > We believe this was added as an optimization to skip computing and > verifying checksums for communication between containers. However, locally > generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as > written does nothing for them. As far as we can tell, after removing this > code, these packets are transmitted from one stack to another unmodified > (tcpdump shows invalid checksums on both sides, as expected), and they are > delivered correctly to applications. We didn?t test every possible network > configuration, but we tried a few common ones such as bridging containers, > using NAT between the host and a container, and routing from hardware > devices to containers. We have effectively deployed this in production at > Twitter (by disabling RX checksum offloading on veth devices). > > This code dates back to the first version of the driver, commit > ("[NET]: Virtual ethernet device driver"), so I > suspect this bug occurred mostly because the driver API has evolved > significantly since then. Commit <0b7967503dc97864f283a> ("net/veth: Fix > packet checksumming") (in December 2010) fixed this for packets that get > created locally and sent to hardware devices, by not changing > CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming > in from hardware devices. > > Co-authored-by: Evan Jones > Signed-off-by: Evan Jones > Cc: Nicolas Dichtel > Cc: Phil Sutter > Cc: Toshiaki Makita > Cc: netdev@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Signed-off-by: Vijay Pandurangan Applied and queued up for -stable, thanks. ????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m???? ????????I?