force the udp checksum for dhcp
The default vm setting assume udp checksums will be computed in hardware. This fix forces the appliance to calculate the checksum for DHCP replies. This fix was inspired by the upstream reference implementation [1]. [1] https://review.openstack.org/#/c/148718/8/neutron/agent/linux/dhcp.py Change-Id: Id5d4ecdb3ce803b4b2a571f9033a637b7818ee08
This commit is contained in:
parent
91e1bf3981
commit
fc15f4b404
@ -58,6 +58,7 @@ class IPTablesManager(base.Manager):
|
||||
rules = itertools.chain(
|
||||
self._build_filter_table(config),
|
||||
self._build_nat_table(config),
|
||||
self._build_mangle_table(config),
|
||||
self._build_raw_table(config)
|
||||
)
|
||||
|
||||
@ -360,6 +361,22 @@ class IPTablesManager(base.Manager):
|
||||
|
||||
return rules
|
||||
|
||||
def _build_mangle_table(self, config):
|
||||
rules = [
|
||||
Rule('*mangle', ip_version=4),
|
||||
Rule(':INPUT - [0:0]', ip_version=4),
|
||||
Rule(':OUTPUT - [0:0]', ip_version=4),
|
||||
Rule(':FORWARD - [0:0]', ip_version=4),
|
||||
Rule(':PREROUTING - [0:0]', ip_version=4),
|
||||
Rule(':POSTROUTING - [0:0]', ip_version=4),
|
||||
Rule(
|
||||
('-A POSTROUTING -p udp -m udp --dport 68 '
|
||||
'-j CHECKSUM --checksum-fill'),
|
||||
ip_version=4),
|
||||
Rule('COMMIT', ip_version=4)
|
||||
]
|
||||
return rules
|
||||
|
||||
def _build_raw_table(self, config):
|
||||
'''
|
||||
Add raw rules (so we can mark private traffic and avoid NATing it)
|
||||
|
@ -88,6 +88,14 @@ V4_OUTPUT = [
|
||||
'-A PREROUTING -i eth2 -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:9602', # noqa
|
||||
'-A POSTROUTING -o eth1 -j MASQUERADE',
|
||||
'COMMIT',
|
||||
'*mangle',
|
||||
':INPUT - [0:0]',
|
||||
':OUTPUT - [0:0]',
|
||||
':FORWARD - [0:0]',
|
||||
':PREROUTING - [0:0]',
|
||||
':POSTROUTING - [0:0]',
|
||||
'-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill',
|
||||
'COMMIT',
|
||||
'*raw',
|
||||
':INPUT - [0:0]',
|
||||
':OUTPUT - [0:0]',
|
||||
|
Loading…
Reference in New Issue
Block a user