On Mon, Jan 22, 2018 at 6:42 PM, Ed Swierk <[email protected]> wrote: > In the OVS conntrack receive path, ovs_ct_execute() pulls the skb to > the L3 header but does not trim it to the L3 length before calling > nf_conntrack_in(NF_INET_PRE_ROUTING). When nf_conntrack_proto_tcp > encounters a packet with lower-layer padding, nf_checksum() fails and > logs "nf_ct_tcp: bad TCP checksum". While extra zero bytes don't > affect the checksum, the length in the IP pseudoheader does. That > length is based on skb->len, and without trimming, it doesn't match > the length the sender used when computing the checksum. > > In ovs_ct_execute(), call skb_network_trim() before any L3+ conntrack > processing. > > Signed-off-by: Ed Swierk <[email protected]>
Acked-by: Pravin B Shelar <[email protected]> Thanks.
