By-default, don't create an iptables rule to checksum SCTP#48149
Merged
cpuguy83 merged 1 commit intomoby:masterfrom Jul 10, 2024
Merged
By-default, don't create an iptables rule to checksum SCTP#48149cpuguy83 merged 1 commit intomoby:masterfrom
cpuguy83 merged 1 commit intomoby:masterfrom
Conversation
For SCTP port mappings, an iptables mangle rule was create to fix the checksum. The code comment says it was done to fix a problem caused by the veth driver reporting NETIF_F_SCTP_CRC since kernel 4.9, when used with NICs that do not support NETIF_F_SCTP_CRC. But the checksum rule fills in the checksum in the IP header, not an SCTP checksum, so it doesn't seem related. And, quoting from the github issue, "since kernel v4.19, the xt_CHECKSUM.c explicitly states it should only be used for UDP and only in the OUTPUT chain - while docker is using it for SCTP in the PREROUTING chain". Furthermore, the rule is reported to be causing errors for SCTP between containers. Because we don't entirely understand why the rule exists, it is now only added if the daemon's env has DOCKER_IPTABLES_SCTP_CHECKSUM=1. If no problems are reported, that escape-hatch and the code to add the rule will be removed in a future release. Signed-off-by: Rob Murray <rob.murray@docker.com>
corhere
approved these changes
Jul 10, 2024
cpuguy83
approved these changes
Jul 10, 2024
This was referenced Aug 15, 2024
Contributor
|
Removing 27.2 cherry-pick label as technically it's a breaking change |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
- What I did
For SCTP port mappings, an iptables mangle rule was create to fix the checksum. The code comment says it was done to fix a problem caused by the veth driver reporting NETIF_F_SCTP_CRC since kernel 4.9, when used with NICs that do not support NETIF_F_SCTP_CRC.
But the checksum rule fills in the checksum in the IP header, not an SCTP checksum, so it doesn't seem related. And, quoting from the github issue, "since kernel v4.19, the xt_CHECKSUM.c explicitly states it should only be used for UDP and only in the OUTPUT chain - while docker is using it for SCTP in the PREROUTING chain".
Furthermore, the rule is reported to be causing errors for SCTP between containers.
- How I did it
Because we don't entirely understand why the rule exists, it is now only added if the daemon's env has
DOCKER_IPTABLES_SCTP_CHECKSUM=1. If no problems are reported, that escape-hatch and the code to add the rule will be removed in a future release.
- How to verify it
Use
iptables -nvL -t mangleto check that the rule is only created when the env-varDOCKER_IPTABLES_SCTP_CHECKSUM=1.- Description for the changelog