[libvirt] [PATCHv2] Add iptables rule to fixup DHCP response checksum.

[Laine Stump]

  On 07/29/2010 10:06 AM, Laine Stump wrote:
> (The only change to this version of the patch is to make the warning
> message more verbose when we fail to add the CHECKSUM rule, noting
> that the failure would likely be solved by updating iptables and the
> kernel.)
>
> This patch attempts to take advantage of a newly added netfilter
> module to correct for a problem with some guest DHCP client
> implementations when used in conjunction with a DHCP server run on the
> host systems with packet checksum offloading enabled.
>
> The problem is that, when the guest uses a RAW socket to read the DHCP
> response packets, the checksum hasn't yet been fixed by the IP stack,
> so it is incorrect.
>
> The fix implemented here is to add a rule to the POSTROUTING chain of
> the mangle table in iptables that fixes up the checksum for packets on
> the virtual network's bridge that are destined for the bootpc port (ie
> "dhcpc", ie port 68) port on the guest.
>
> Only very new versions of iptables will have this support (it will be
> in the next upstream release), so a failure to add this rule only
> results in a warning message. The iptables patch is here:
>
>    http://patchwork.ozlabs.org/patch/58525/
>
> A corresponding kernel module patch is also required (the backend of
> the iptables patch) and that will be in the next release of the
> kernel.
> ---
>   src/libvirt_private.syms    |    2 +
>   src/network/bridge_driver.c |   18 +++++++++++
>   src/util/iptables.c         |   71 +++++++++++++++++++++++++++++++++++++++++++
>   src/util/iptables.h         |    6 ++++
>   4 files changed, 97 insertions(+), 0 deletions(-)

Based on DV's ACK of the previous version, the trivial difference from 
the previous, and approval on IRC, I pushed this V2 patch.