-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ICMP messages are not forwarded back to the backing pod of a workload in ebpf #8854
Labels
Comments
tomastigera
added a commit
to tomastigera/project-calico-calico
that referenced
this issue
May 25, 2024
When a service (nodeport) is accessed from outside the cluster and traffic from backend generates ICMP error outside the cluster, we need to deliver the ICMP error (e.g. MTU too big) back to the backend workload so that it can adjust. These packets were not sent back into the vxlan tunnel neither we did DNAT on them if they were. fixes projectcalico#8854
3 tasks
tomastigera
added a commit
to tomastigera/project-calico-calico
that referenced
this issue
Jun 3, 2024
When a service (nodeport) is accessed from outside the cluster and traffic from backend generates ICMP error outside the cluster, we need to deliver the ICMP error (e.g. MTU too big) back to the backend workload so that it can adjust. These packets were not sent back into the vxlan tunnel neither we did DNAT on them if they were. * add test for small MTU internet link * check ICMP checksum * markes packets with resolved ICMP nat so that we do not do it again in revers on the next hop. fixes projectcalico#8854
tomastigera
added a commit
to tomastigera/project-calico-calico
that referenced
this issue
Jun 4, 2024
When a service (nodeport) is accessed from outside the cluster and traffic from backend generates ICMP error outside the cluster, we need to deliver the ICMP error (e.g. MTU too big) back to the backend workload so that it can adjust. These packets were not sent back into the vxlan tunnel neither we did DNAT on them if they were. * add test for small MTU internet link * check ICMP checksum * markes packets with resolved ICMP nat so that we do not do it again in revers on the next hop. fixes projectcalico#8854
tomastigera
added a commit
to tomastigera/project-calico-calico
that referenced
this issue
Jun 4, 2024
When a service (nodeport) is accessed from outside the cluster and traffic from backend generates ICMP error outside the cluster, we need to deliver the ICMP error (e.g. MTU too big) back to the backend workload so that it can adjust. These packets were not sent back into the vxlan tunnel neither we did DNAT on them if they were. * add test for small MTU internet link * check ICMP checksum * markes packets with resolved ICMP nat so that we do not do it again in revers on the next hop. fixes projectcalico#8854
tomastigera
added a commit
to tomastigera/project-calico-calico
that referenced
this issue
Jun 4, 2024
When a service (nodeport) is accessed from outside the cluster and traffic from backend generates ICMP error outside the cluster, we need to deliver the ICMP error (e.g. MTU too big) back to the backend workload so that it can adjust. These packets were not sent back into the vxlan tunnel neither we did DNAT on them if they were. * add test for small MTU internet link * check ICMP checksum * markes packets with resolved ICMP nat so that we do not do it again in revers on the next hop. fixes projectcalico#8854
tomastigera
added a commit
to tomastigera/project-calico-calico
that referenced
this issue
Jun 12, 2024
When a service (nodeport) is accessed from outside the cluster and traffic from backend generates ICMP error outside the cluster, we need to deliver the ICMP error (e.g. MTU too big) back to the backend workload so that it can adjust. These packets were not sent back into the vxlan tunnel neither we did DNAT on them if they were. * add test for small MTU internet link * check ICMP checksum * markes packets with resolved ICMP nat so that we do not do it again in revers on the next hop. fixes projectcalico#8854
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
When traffic from the backing pod it hitting smaller MTU on the way back to the client, ICMP messages signalling that fragmentation is required do not make it back to the backing pod if that pod is on a different node than where the service is being resolved.
Current Behavior
due to bigger mtu packets are dropped and connection is closed.
Possible Solution
Steps to Reproduce (for bugs)
5.reach pod via service ip on the host not backing the pod so you get nat'ed
6.you need to have big payload that pod returns.
Context
having a problem with Service IP and have to reduce the mtu.
Your Environment
The text was updated successfully, but these errors were encountered: