From patch which has been accepted upstream: "Packets that arrive from real hardware devices have ip_summed == CHECKSUM_UNNECESSARY if the hardware verified the checksums, or CHECKSUM_NONE if the packet is bad or it was unable to verify it. The current version of veth will replace CHECKSUM_NONE with CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to a veth device to be delivered to the application." Reproducible: Didn't try Steps to Reproduce: 1. send data to container 2. inject broken packets 3. broken packets are received Actual Results: broken packets are accepted on veth interface, TCP/IP check-summing does not work Expected Results: broken packets should not be accepted on veth interface, TCP/IP check-summing should work Unstable ~arch gentoo-sources-4.4* have this patch applied. Backporting is an option. Direct link to patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce8c839b74e3017996fad4e1b7ba2e2625ede82f
Fix in 4.4