[ovs-dev] [ovs-discuss] Checksum incorrect when rewriting icmpv6 packet

Ben Pfaff blp at nicira.com
Fri Aug 15 16:44:32 UTC 2014


[adding Jesse and ovs-dev]

On Thu, Aug 14, 2014 at 11:03:52AM -0400, Neal Shrader wrote:
> I came across an issue today what I was attempting to modify the source
> ipv6 address of a router advertisement generated from a local server.  The
> flow in question looks like:
> 
> ovs-ofctl add-flow public
> 'priority=2040,icmp6,in_port=LOCAL,ipv6_dst=ff02::1,table=1,idle_timeout=0,actions=set_field:fe80::1->ipv6_src,strip_vlan,flood'
> 
> When I generate an RA, I see that it has an incorrect checksum, and
> therefore is rejected by the destination host:

I see that commit af9d14a856268d is on master but not on branch-1.10:

    datapath: fix the calculation of checksum for vlan header
    
    In vlan_insert_tag(), we insert a 4-byte VLAN header _after_
    mac header:
    
            memmove(skb->data, skb->data + VLAN_HLEN, 2 * ETH_ALEN);
            ...
            veth->h_vlan_proto = htons(ETH_P_8021Q);
            ...
            veth->h_vlan_TCI = htons(vlan_tci);
    
    so after it, we should recompute the checksum to include these 4 bytes.
    skb->data still points to the mac header, therefore VLAN header is at
    (2 * ETH_ALEN = 12) bytes after it, not (ETH_HLEN = 14) bytes.
    
    This can also be observed via tcpdump:
    
             0x0000:  ffff ffff ffff 5254 005d 6f6e 8100 000a
             0x0010:  0806 0001 0800 0604 0001 5254 005d 6f6e
             0x0020:  c0a8 026e 0000 0000 0000 c0a8 0282
    
    Similar for __pop_vlan_tci(), the vlan header we remove is the one
    overwritten in:
    
    	memmove(skb->data + VLAN_HLEN, skb->data, 2 * ETH_ALEN);
    
    Therefore the VLAN_HLEN = 4 bytes after 2 * ETH_ALEN is the part
    we want to sub from checksum.
    
    Cc: David S. Miller <davem at davemloft.net>
    Cc: Jesse Gross <jesse at nicira.com>
    Signed-off-by: Cong Wang <amwang at redhat.com>
    Signed-off-by: Jesse Gross <jesse at nicira.com>

Perhaps this needs a backport; I haven't studied the code.



More information about the dev mailing list