-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
-
-
-
-
Description of problem:
I'm, getting this error on AWS/ROSA nodes when I try to create a ingress firewall rule
2024-01-24T19:58:35Z INFO controllers.IngressNodeFirewall Comparing currently managed interfaces against list of XDP interfaces on system {"e.managedInterfaces": {}} 152024-01-24T19:58:35Z INFO controllers.IngressNodeFirewall Attaching firewall interface {"intf": "ens5"} 162024-01-24T19:58:35Z ERROR controllers.IngressNodeFirewall Fail to attach ingress firewall prog {"error": "could not attach XDP program: create link: invalid argument", "errorCauses": [{"error": "could not attach XDP program: create link: invalid argument"}]} 17github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).attachNewInterfaces.func2 18/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:202 19k8s.io/client-go/util/retry.OnError.func1
apparently this is due to the wrong MTU being set:
[ 448.622275] ena 0000:00:05.0 ens5: Failed to set xdp program, the current MTU (9001) is larger than the maximum allowed MTU (3498) while xdp is on
on the ens5 interface
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq master ovs-system state UP group default qlen 1000
link/ether 02:0b:45:9b:58:af brd ff:ff:ff:ff:ff:ff
altname enp0s5
which has the following driver:
ethtool -i ens5
driver: ena
version: 5.14.0-284.48.1.el9_2.x86_64
firmware-version:
expansion-rom-version:
bus-info: 0000:00:05.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
Version-Release number of selected component (if applicable):
OCP: 4.14.9
ingress firewall operator: 4.14.0-202401151553
How reproducible:
100% and also on 4.13
Steps to Reproduce:
follow the docs to install and test the operator.
Actual results:
the error shown above
Expected results:
firewall rules are applied.
Additional info:
