-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.17
-
None
-
None
-
False
-
-
None
-
None
-
None
-
Unspecified
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Expectation to sysctl default values:
OpenShift nodes should be throttling ICMP Destination Unreachable messages to one-per-second after the initial burst. The default mask value is 6168, which contains the hex value 8. However, these systems are producing ICMP messages FAR in excess of one per second when the backing pod for their local NodePort is down.
Version-Release number of selected component (if applicable):
OCP v4.17
How reproducible:
Check your current ratemask, run the below command $ sysctl net.ipv4.icmp_ratemask Example output should be like: net.ipv4.icmp_ratemask = 6168 To see whether "Destination Unreachable" is included: Destination Unreachable = ICMP type 3 Bit mask = 1 << 3 = 8 echo $((6168 & 8))If result is 0, type 3 ICMP is NOT throttled → you will get one ICMP per UDP packet.
Steps to Reproduce:
Check your current ratemask, run the below command $ sysctl net.ipv4.icmp_ratemask Example output should be like: net.ipv4.icmp_ratemask = 6168 To see whether "Destination Unreachable" is included: Destination Unreachable = ICMP type 3 Bit mask = 1 << 3 = 8 echo $((6168 & 8))If result is 0, type 3 ICMP is NOT throttled → you will get one ICMP per UDP packet.
Actual results:
echo $((6168 & 8)) 8 "Destination Unreachable" messages are still not throttled even if the ICMP type 3 is included and the default icmp ratelimit should be able to burst 50 ICMP messages and then be throttled to 1 per second
Expected results:
echo $((6168 & 8)) 8 - Expectation is that the ICMP type 3 is included and "Destination Unreachable" messages should have been throttled.
Additional info:
