On Mon, Jan 22, 2018 at 6:42 PM, Ed Swierk <eswi...@skyportsystems.com> wrote: > In the OVS conntrack receive path, ovs_ct_execute() pulls the skb to > the L3 header but does not trim it to the L3 length before calling > nf_conntrack_in(NF_INET_PRE_ROUTING). When nf_conntrack_proto_tcp > encounters a packet with lower-layer padding, nf_checksum() fails and > logs "nf_ct_tcp: bad TCP checksum". While extra zero bytes don't > affect the checksum, the length in the IP pseudoheader does. That > length is based on skb->len, and without trimming, it doesn't match > the length the sender used when computing the checksum. > > In ovs_ct_execute(), call skb_network_trim() before any L3+ conntrack > processing. > > Signed-off-by: Ed Swierk <eswi...@skyportsystems.com>
Acked-by: Pravin B Shelar <pshe...@ovn.org> Thanks. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
