VPP is broken on recent Linux hosts for AF_PACKET reads.

Experimental setup: Debian 9.0, 3 containers - traffic source, vpp and traffic sink.

Topology: Source <vEth>VPP<vEth>Sink

VPP is configured to do trivial ipv4 routing like this:

create host-interface name eth1
create host-interface name eth2
set int state host-eth1 up
set int state host-eth2 up
set int ip address host-eth1 192.168.98.2/24
set int ip address host-eth2 192.168.99.1/24

Ping from Source to Sink across vpp works.

TCP from Source to Sink does not connect. Inspecting the traffic with tcpdump shows broken TCP checksums.

The root cause is the switch in the Linux kernel to using CSUM_PARTIAL and delayed checksumming across the board. Any of the virtual interfaces in Linux which are reported as TX offload capable actually delay the csum computation and place only the partial csum of the header into the tcp and udp csum field (as expected by the current offload conventions and documented here: https://www.kernel.org/doc/Documentation/networking/checksum-offloads.txt).

This has the following consequence on a raw packet reader/writer such as af_packet in vpp. It must either fully compute checksums to the correct values or use VNET headers (originally defined for virtio) to obtain the necessary checksum information to handle CSUM_PARTIAL frames arriving onto its raw sockets. Presently it does not.

So rather unsurprisingly it is incapable of forwarding any TCP traffic between virtual interfaces.