949588 – app-emulation/libvirt-10.10.0-r1: CONFIG_CHECK missing for NET_ACT_CSUM

Bug 949588 - app-emulation/libvirt-10.10.0-r1: CONFIG_CHECK missing for NET_ACT_CSUM

Summary: app-emulation/libvirt-10.10.0-r1: CONFIG_CHECK missing for NET_ACT_CSUM

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Michal Prívozník

URL:	https://forums.gentoo.org/viewtopic-p...
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2025-02-10 21:56 UTC by Erik Quaeghebeur
Modified:	2025-02-14 06:01 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/40566
Package list:
Runtime testing required:	---

Attachments
emerge info output (emerge.info.txt,16.87 KB, text/plain) 2025-02-11 01:59 UTC, Lyall Pearce	Details
Changes in my kernel config resulting in it working (config.diffs,2.03 KB, text/plain) 2025-02-11 06:12 UTC, Lyall Pearce	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Quaeghebeur 2025-02-10 21:56:23 UTC

After upgrading to qemu-9.1.2 and restarting my system, I could not start my virtual machine using the virbr0 interface. Upon checking, I found the following error:

---
internal error: Failed to apply firewall command '/sbin/tc filter add dev virbr0 prio 2 protocol ip parent 1: u32 match ip dport 68 ffff action csum ip and udp': Error: Failed to load TC action module.
                   We have an error talking to the kernel 
---

Based on that error, I found and added NET_ACT_CSUM kernel option as a module. After rebooting into the newly compiled kernel, all was fine again. So it seems that this NET_ACT_CSUM option is now required for setting up virbr0 interfaces. So it should be listed in a CONFIG_CHECK in the qemu ebuild now.

Reproducible: Always

Comment 1 Brian Evans 2025-02-11 00:00:10 UTC

This command failure actually comes from libvirt (src/network/network_nftables.c):

    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_TC,
                      "filter", "add", "dev", iface,
                      "prio", "2", "protocol", "ip", "parent", "1:",
                      "u32", "match", "ip", "dport", portstr, "ffff",
                      "action", "csum", "ip", "and", "udp",
                      NULL);

Comment 2 Lyall Pearce 2025-02-11 01:59:03 UTC

Created attachment 918629 [details]
emerge info output

I experience the same problem, yet I have the kernel module as a module in my running system

# gunzip -c /proc/config.gz | grep CONFIG_NET_ACT
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=m
# CONFIG_NET_ACT_MIRRED is not set
# CONFIG_NET_ACT_SAMPLE is not set
CONFIG_NET_ACT_IPT=m
# CONFIG_NET_ACT_NAT is not set
# CONFIG_NET_ACT_PEDIT is not set
# CONFIG_NET_ACT_SIMP is not set
# CONFIG_NET_ACT_SKBEDIT is not set
# CONFIG_NET_ACT_CSUM is not set
# CONFIG_NET_ACT_MPLS is not set
# CONFIG_NET_ACT_VLAN is not set
# CONFIG_NET_ACT_BPF is not set
# CONFIG_NET_ACT_CONNMARK is not set
# CONFIG_NET_ACT_CTINFO is not set
# CONFIG_NET_ACT_SKBMOD is not set
# CONFIG_NET_ACT_IFE is not set
# CONFIG_NET_ACT_TUNNEL_KEY is not set
# CONFIG_NET_ACT_CT is not set
# CONFIG_NET_ACT_GATE is not set

Comment 3 Lyall Pearce 2025-02-11 06:12:39 UTC

Created attachment 918632 [details]
Changes in my kernel config resulting in it working

Whilst flailing around in the kernel settings attempting to get this working, I got it working!

Find attached the difference between my .config.prev (which was working a week ago) to my current .config

Basically, I went in to networking QoS and made everything 'Y' rather than 'M' that was already a 'M'

Also, it is possible that CONFIG_NET_ACT_GACT being enabled as a 'M'odule may have helped.

Really unsure which parameter was the problem but I figured this post may be useful as a start.

Comment 4 Erik Quaeghebeur 2025-02-11 20:44:31 UTC

(In reply to Lyall Pearce from comment #3)
> Really unsure which parameter was the problem but I figured this post may be
> useful as a start.
I would like to keep this bug report about NET_ACT_CSUM being missing only. It is a very well-defined and identified issue that the developers can fix relatively easily. There may be other CONFIG_CHECKs to add, as your description suggests, but making this part of this bug report would make it too vague. The best is to investigate further in the forums and file a bug once it is clear what is missing.

Comment 5 Larry the Git Cow gentoo-dev

2025-02-14 06:01:46 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b51436d29ca1a6c83ed364e955ea5bd4b94f3bd1

commit b51436d29ca1a6c83ed364e955ea5bd4b94f3bd1
Author:     Michal Privoznik <michal.privoznik@gmail.com>
AuthorDate: 2025-02-13 19:55:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-02-14 06:01:05 +0000

    app-emulation/libvirt: Add missing CONFIG_CHECK for NET_ACT_CSUM
    
    In its upstream commit of v10.10.0-rc1~2 [1] libvirt introduced a
    firewall rule to recompute checksum of DHCP packets because
    otherwise in some configurations guests may be unable to acquire
    IP address. Unfortunately, while reviewing the patch upstream, I
    didn't realize corresponding check for kernel config should be
    introduced into our ebuilds.
    
    1: https://gitlab.com/libvirt/libvirt/-/commit/e9e5ebe6a6e063fa73e57d9714cdcc56c8b65cf6
    Closes: https://bugs.gentoo.org/949588
    Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-emulation/libvirt/libvirt-10.10.0-r1.ebuild | 1 +
 app-emulation/libvirt/libvirt-11.0.0.ebuild     | 1 +
 app-emulation/libvirt/libvirt-9999.ebuild       | 1 +
 3 files changed, 3 insertions(+)