Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-36554

OCP 4.14.8 responds with RST to all ip fragmented packets arriving to a pod

XMLWordPrintable

    • Moderate
    • No
    • SDN Sprint 256, SDN Sprint 257
    • 2
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, when the OVN-Kubernetes setting for routing-via-host was set to the default value of shared gateway mode, OVN-Kubernetes did not correctly handle traffic streams that mixed non-fragmented and fragmented packets from the IP layer on cluster ingress. With this release, OVN-Kubernetes correctly reassembles and handles external traffic IP packet fragments when ingressing and the issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-36544[*OCPBUGS-36554*])
      Show
      * Previously, when the OVN-Kubernetes setting for routing-via-host was set to the default value of shared gateway mode, OVN-Kubernetes did not correctly handle traffic streams that mixed non-fragmented and fragmented packets from the IP layer on cluster ingress. With this release, OVN-Kubernetes correctly reassembles and handles external traffic IP packet fragments when ingressing and the issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-36544 [* OCPBUGS-36554 *])
    • Bug Fix
    • Done
    • 30/07/24: Complete - see Padraig OGrady added a comment - 2024/07/30 4:02 PM

      This is a clone of issue OCPBUGS-36382. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-29511. The following is the description of the original issue:

      Description of problem:

      When external TCP traffic is IP fragmented with no DF flag set and is targeted to a pod external IP, the fragmented packets are responded by RST and are not delivered to the PODs application socket.
         
      Version-Release number of selected component (if applicable):

      $ oc version
      Client Version: 4.14.8
      Kustomize Version: v5.0.1
      Server Version: 4.14.7
      Kubernetes Version: v1.27.8+4fab27b
           
      How reproducible:

      I built a reproducer for this issue on KVM hosted OCP claster.
      I can simulate the same traffic as can be seen in the customer's network.
      So we do have a solid reproducer for the issue.
      Details are in the JIRA updates.
           
      Steps to Reproduce:
      I wrote a simple C-based tcp_server/tcp_client application for testing.
      The client simply sends a file towards the server from a networking namespace with
      disabled pmtu. The server app runs in a pod and simply waits for connections then reads the data from the socket and stores the received file into /tmp .
      There is along the way from the client namespace a veth pair with MTU 1000 since the
      path MTU is 1500.
      This is enough to get ip packets fragmented along the way from the client to the server.
      Details of the setup and testing steps are in the JIRA comments.  

      Actual results:

      $ oc get network.operator -o yaml | grep routingViaHost
                routingViaHost: false
      All fragmented packets are responded causing a TCP RST and are not delivered to the
      application socket in the pod.  

      Expected results:

      Fragmented packets are delivered to the application socket running in a pod with
      $ oc get network.operator -o yaml | grep routingViaHost
                routingViaHost: false
           

      Additional info:

      There is a WA to prevent the issue.
      $ oc get network.operator -o yaml | grep routingViaHost
                routingViaHost: true
      Makes the fragmented traffic arrive at the application socket in the pod.

      I can assist with the reproducer and testing on the test env.
      Regards Michal Tesar

            jcaamano@redhat.com Jaime Caamaño Ruiz
            openshift-crt-jira-prow OpenShift Prow Bot
            Anurag Saxena Anurag Saxena
            Padraig OGrady Padraig OGrady
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: