[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [win-pv-devel] Hi, a question about the checksum offload and WinDivert


My responses indented:

From: win-pv-devel [mailto:win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf 
Of Haohao Lee
Sent: 06 November 2018 08:34
To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
Subject: [win-pv-devel] Hi, a question about the checksum offload and WinDivert

Hi Xen folks,

I am a Windows application developer. We developed an application which 
modifies packets and rejects them back into the network stack to do some 
network proxy transparently.

We achieved this by using WinDivert (https://reqrypt.org/windivert.html) that 
is a tool/driver allows user-mode applications to capture/modify/drop network 
packets sent to/from the Windows network stack.

Our app worked well on physical Windows machines but on Xen virtual machines we 
encountered a problem.

- Everything works well before we start our app.
- Network traffic is blocked after the app is started, even a single SYN packet 
couldn't be sent out.

If we disable the checksum offload in Xen Net Driver, everything starts to work 

> Hi Hao,
> Which checksum offload? Just TCP or IPv4 too?

Testing Environment:
Xen Virtual Machine: Windows 7 Sp1 x64 with latest updates
Xen Net Driver: Driver version xennet.sys version

I have a couple of questions:
1. Is this a problem of WinDivert driver or Xen Net driver from your 

> Since the stable (i.e. 8.x) drivers pass all logo tests (which have detailed 
> checks of the semantics of checksum offload, LSO, etc.) the I'd say the 
> problem lies in the application. One thing to try is disabling LRO though.. 
> this is disabled for logo testing since the version of NDIS we use doesn't 
> actually support it. (Moving to a newer NDIS is on the TODO list).

2. If this belongs to Xen Net driver, does the latest driver fix this?
3. I found many articles on the Internet which teach people to disable checksum 
offload (and other kinds of offload) for Xen virtual machines, e.g. some 
tutorials from AWS. Why is this option ON by default if it shouldn't be, or is 
there any introduction about the context why it is ON by default? I know what 
TCP/IP checksum is, but in virtual machine context, I have no idea if it is 
necessary or not.

Any comment or suggestion is appreciated.

> The answer is "it's complicated" :-) The default set of offloads is the set 
> we use in Citrix branded versions of the drivers for XenServer and, whilst 
> there used to be many issues with such offloads in the past (pre Xenserver 
> 7.x), we have not had *any* reports from the field to suggest there are any 
> current issues with checksum or large packet offloads in the 8.x drivers.
> Cheers,
> Paul


win-pv-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.