-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.14.z
This is a clone of issue OCPBUGS-29511. The following is the description of the original issue:
—
Description of problem:
When external TCP traffic is IP fragmented with no DF flag set and is targeted to a pod external IP, the fragmented packets are responded by RST and are not delivered to the PODs application socket.
Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.14.8
Kustomize Version: v5.0.1
Server Version: 4.14.7
Kubernetes Version: v1.27.8+4fab27b
How reproducible:
I built a reproducer for this issue on KVM hosted OCP claster.
I can simulate the same traffic as can be seen in the customer's network.
So we do have a solid reproducer for the issue.
Details are in the JIRA updates.
Steps to Reproduce:
I wrote a simple C-based tcp_server/tcp_client application for testing.
The client simply sends a file towards the server from a networking namespace with
disabled pmtu. The server app runs in a pod and simply waits for connections then reads the data from the socket and stores the received file into /tmp .
There is along the way from the client namespace a veth pair with MTU 1000 since the
path MTU is 1500.
This is enough to get ip packets fragmented along the way from the client to the server.
Details of the setup and testing steps are in the JIRA comments.
Actual results:
$ oc get network.operator -o yaml | grep routingViaHost
routingViaHost: false
All fragmented packets are responded causing a TCP RST and are not delivered to the
application socket in the pod.
Expected results:
Fragmented packets are delivered to the application socket running in a pod with
$ oc get network.operator -o yaml | grep routingViaHost
routingViaHost: false
Additional info:
There is a WA to prevent the issue.
$ oc get network.operator -o yaml | grep routingViaHost
routingViaHost: true
Makes the fragmented traffic arrive at the application socket in the pod.
I can assist with the reproducer and testing on the test env.
Regards Michal Tesar
- blocks
-
OCPBUGS-36554 OCP 4.14.8 responds with RST to all ip fragmented packets arriving to a pod
- Closed
- clones
-
OCPBUGS-29511 OCP 4.14.8 responds with RST to all ip fragmented packets arriving to a pod
- Closed
- is blocked by
-
OCPBUGS-29511 OCP 4.14.8 responds with RST to all ip fragmented packets arriving to a pod
- Closed
- is cloned by
-
OCPBUGS-36554 OCP 4.14.8 responds with RST to all ip fragmented packets arriving to a pod
- Closed
- links to
-
RHBA-2024:4474 OpenShift Container Platform 4.15.z bug fix update