Bug#382985: teergrubes NATted connections due to mangled IPv4 checksums
Package: linux-image-2.6.16-2-xen-686
Version: 2.6.16-17
Severity: grave
A recently added optimization skips checksums on all packets it
believes are destined for another Xen domain inside the same box.
Too bad, it is sometimes wrong -- an analysis can be found on
http://lists.xensource.com/archives/html/xen-users/2006-03/msg00159.html
This had been fixed before -- NETIF_F_NO_CSUM was changed to 0;
however, in the current version of the Xen patch in unstable it is
again enabled, set to NETIF_F_IP_CSUM (ie, IPv4 tcp and udp only) this
time.
Unfortunately, an idiot running nearly only IPv6 can miss this bug,
unknowingly teergrubing other hosts. I've personally managed to do
this to lists.debian.org, making it keep a number of exim4 processes
trying to deliver mail to my server. Thus, it was suggested to file
this bug as 'grave'.
IPv4 ICMP, all IPv6 and connections which actually don't leave the
box work fine; same for those which get bridged away to a physical
interface without passing through NAT.
The fix: as in the quoted link, change
dev->features = NETIF_F_IP_CSUM;
to
dev->features = 0;
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (202, 'unstable'), (201, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-xen-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages linux-image-2.6.16-2-xen-686 depends on:
ii initramfs-tools [linux-initra 0.73c tools for generating an initramfs
ii linux-modules-2.6.16-2-xen-68 2.6.16-17 Linux kernel modules 2.6.16 image
Versions of packages linux-image-2.6.16-2-xen-686 recommends:
ii libc6-xen 2.3.6-19 GNU C Library: Shared libraries [X
-- no debconf information
Reply to: