By-default, don't create an iptables rule to checksum SCTP

For SCTP port mappings, an iptables mangle rule was create to fix
the checksum. The code comment says it was done to fix a problem
caused by the veth driver reporting NETIF_F_SCTP_CRC since kernel
4.9, when used with NICs that do not support NETIF_F_SCTP_CRC.

But the checksum rule fills in the checksum in the IP header,
not an SCTP checksum, so it doesn't seem related. And, quoting
from the github issue, "since kernel v4.19, the xt_CHECKSUM.c
explicitly states it should only be used for UDP and only in the
OUTPUT chain - while docker is using it for SCTP in the PREROUTING
chain".

Furthermore, the rule is reported to be causing errors for SCTP
between containers.

Because we don't entirely understand why the rule exists, it
is now only added if the daemon's env has
DOCKER_IPTABLES_SCTP_CHECKSUM=1. If no problems are reported, that
escape-hatch and the code to add the rule will be removed in a
future release.

Signed-off-by: Rob Murray <rob.murray@docker.com>
This commit is contained in:
Rob Murray
2024-07-10 18:53:54 +01:00
parent 767503d462
commit 8be292a7bb

View File

@@ -9,6 +9,7 @@ import (
"fmt"
"net"
"net/netip"
"os"
"slices"
"strconv"
@@ -545,7 +546,7 @@ func setPerPortForwarding(b portBinding, ipv iptables.IPVersion, bridgeName stri
return err
}
if b.Proto == types.SCTP {
if b.Proto == types.SCTP && os.Getenv("DOCKER_IPTABLES_SCTP_CHECKSUM") == "1" {
// Linux kernel v4.9 and below enables NETIF_F_SCTP_CRC for veth by
// the following commit.
// This introduces a problem when combined with a physical NIC without