[ovs-discuss] Incorrect UDP checksum for IP fragmented datagrams that have mod_nw_dst action

Michael Ben-Ami mbenami at digitalocean.com
Fri Apr 29 19:11:42 UTC 2016

OVS version:

ovs-ofctl (Open vSwitch) 2.3.2
Compiled Aug 24 2015 18:39:15
OpenFlow versions 0x1:0x4

Linux version:

Linux version 3.13.0-52-generic (buildd at comet) (gcc version 4.8.2
(Ubuntu 4.8.2-19ubuntu1) ) #86-Ubuntu SMP Mon May 4 04:32:59 UTC 2015

When IP-fragemented UDP datagrams hit a rule that looks like:

 cookie=0x0, duration=176936.052s, table=1, n_packets=68911,
n_bytes=8452972, idle_age=8, hard_age=65534,

All IP traffic that hits this flow is successfully received by the VM with
IP address, besides UDP traffic that is IP fragmented.

We used netcat and wireshark to test. An example case is a VM receiving
5000 bytes of UDP traffic over netcat. If the sender does UDP segmentation
to sizes of 2048, 2048, and 904 bytes, and the first two segments are
further IP fragmented on the wire (before hitting OVS), the listening
netcat on the VM will receive 904 bytes, and the counter of Udp InCsumErrors
in netstat -su output will increase by 2.

The following output is taken from tcpdump/wireshark on the receiving VM
for the 5000-byte example described above.

[image: Inline image 1]

I tried this workaround but it failed:

# ovs-ofctl set-frags public reassemble
ovs-ofctl: public: setting fragment handling mode failed (this switch
probably doesn't support mode "reassemble")

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160429/83aaef2f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 154598 bytes
Desc: not available
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160429/83aaef2f/attachment-0002.png>

More information about the discuss mailing list