Bad udp cksum on packets from odhcp6c

yorik · January 7, 2020, 9:00pm

Hi,

I’m trying to investigate some DHCP issues and noticed that DHCP requests from odhcp6c have incorrect checksum:
23:27:58.891929 xx:xx:xx:xx:xx:xx > xx:xx:xx:xx:xx:xx, ethertype IPv6 (0x86dd), length 234: (flowlabel 0xd75ae, hlim 64, next-header UDP (17) payload length: 180) xxxx:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx.546 > xxxx:xxxx:xxxx:xx::xxx.547: [bad udp cksum 0xacb4 -> 0xda2a!] dhcp6 renew (xid=c8c0a (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_82 opt_83 opt_94 opt_95 opt_96 server-unicast) (client-ID hwaddr type 1 xxxxxxxxxxxx) (server-ID hwaddr/time type 1 time xxxxxxxxx xxxxxxxxxxxx) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0 (IA_ADDR xxxx:xxx:xxxx:x::xx pltime:0 vltime:0)) (IA_PD IAID:1 T1:0 T2:0 (IA_PD-prefix xxxx:xxx:xxxx::/64 pltime:0 vltime:0)))

I found 2 solutions to fix it. First:

ethtool --offload eth2 tx off

-ash: ethtool: not found

opkg install ethtool

Unknown package ‘ethtool’.
Collected errors:

opkg_install_cmd: Cannot install package ethtool.

And the second one:

iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill

iptables v1.6.2: unknown option “–checksum-fill”
Try `iptables -h’ or ‘iptables --help’ for more information.

Any idea how to install ethtool or some better way to fix it?

Thanks!

P.S.

cat /etc/turris-version

4.0.3

anon50890781 · January 7, 2020, 9:29pm

Is it causing DHCPv6 trouble with getting a IPv6 from the upstream server - assuming this being the ISP?

Not sure whether there are difference between the various TO hardware/board revisions, however on the CZ11NIC20 board

ethtool -k eth2 | grep offload produces

tcp-segmentation-offload: on
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: off [fixed]
tx-vlan-offload: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: off [fixed]
tls-hw-tx-offload: off [fixed]
tls-hw-rx-offload: off [fixed]

and ethtool -k eth2 | grep check producing

rx-checksumming: off [fixed]
tx-checksumming: on
tx-checksum-ipv4: on
tx-checksum-ip-generic: off [fixed]
tx-checksum-ipv6: on
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]

Whatever [fixed] cannot be changed

This may require the kernel paramater

net.netfilter.nf_conntrack_checksum = 1

and/or modules to be installed

iptables-mod-checksum
kmod-ipt-checksum

yorik · January 7, 2020, 9:34pm

How you get ethtool installed on your board? This is the biggest problem, that I don’t have it and can’t install.

Yes, my router is sending the requests to ISP.

yorik · January 7, 2020, 9:39pm

Sorry, I was silly, I just needed to do opkg update.

My settings:

# ethtool -k eth2 | grep offload 
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: off [fixed]
tx-vlan-offload: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: off [fixed]

# ethtool -k eth2 | grep check 
rx-checksumming: off [fixed]
tx-checksumming: on
	tx-checksum-ipv4: on
	tx-checksum-ip-generic: off [fixed]
	tx-checksum-ipv6: on
	tx-checksum-fcoe-crc: off [fixed]
	tx-checksum-sctp: off [fixed]

anon50890781 · January 7, 2020, 9:52pm

ethtool -K eth2 tx off sorts it then?
__

?

yorik · January 7, 2020, 10:02pm

yes, thank you!

(This is a filler for error “Post must be at least 20 characters”

anon50890781 · January 7, 2020, 10:12pm

Not sure whether it is a potential bug in the kernel version that ships with TOS4.x and/or something in odhcpd source code ^[1]

/ Let the kernel compute our checksums
          val = 2;
          if (setsockopt(sock, IPPROTO_RAW, IPV6_CHECKSUM, &val, sizeof(val)) < 0)
                  goto failure;

It might be remedied in more contemporary kernel | odhcpd versions, just to keep in mind.

^[1] https://git.openwrt.org/?p=project/odhcp6c.git;a=blob;f=src/ra.c;hb=e199804b602a48eb69f0752584c0ad28495b82ad#l136

vcunat · January 7, 2020, 10:38pm

If you capture packets on the same machine that originates them and the outgoing interface is using checksum offload, it’s normal to capture with wrong checksums. That’s because the capture happens before computation of the checksum in that case.

anon50890781 · January 7, 2020, 11:14pm

Oh, the intricacies of packet capture…

One should bother to read up on man pages

K
–dont-verify-checksums
Don’t attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad.

if you have offload features enabled and you see cksum incorrect in tcpdump output, without any packet errors and your network is working properly: it is nothing to worry about because the checksum is actually calculated on the network adapter and the tcpdump is showing the checksum calculated on kernel level.

tcpdump reads IP packets from the Linux kernel right before the actual checksum takes place in the NIC’s chipset

yorik · January 8, 2020, 10:38am

Thanks vcunat! It’s indeed the case: I was running tcpdump on the router and the packets were created on it.

So looks like there is no problem with UDP checksums.