Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5120

Ingress Firewall operator not working with ena interfaces in AWS/ROSA


    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • openshift-4.16
    • None
    • SDN
    • None
    • False
    • None
    • False
    • Not Selected

      Description of problem:

         I'm, getting this error on AWS/ROSA nodes when I try to create a ingress firewall rule


      2024-01-24T19:58:35Z INFO controllers.IngressNodeFirewall Comparing currently managed interfaces against list of XDP interfaces on system {"e.managedInterfaces": {}} 152024-01-24T19:58:35Z INFO controllers.IngressNodeFirewall Attaching firewall interface {"intf": "ens5"} 162024-01-24T19:58:35Z ERROR controllers.IngressNodeFirewall Fail to attach ingress firewall prog {"error": "could not attach XDP program: create link: invalid argument", "errorCauses": [{"error": "could not attach XDP program: create link: invalid argument"}]} 17github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).attachNewInterfaces.func2 18/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:202 19k8s.io/client-go/util/retry.OnError.func1


      apparently this is due to the wrong MTU being set:
      [ 448.622275] ena 0000:00:05.0 ens5: Failed to set xdp program, the current MTU (9001) is larger than the maximum allowed MTU (3498) while xdp is on
      on the ens5 interface

      2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq master ovs-system state UP group default qlen 1000
          link/ether 02:0b:45:9b:58:af brd ff:ff:ff:ff:ff:ff
          altname enp0s5

      which has the following driver:

      ethtool -i ens5
      driver: ena
      version: 5.14.0-284.48.1.el9_2.x86_64
      bus-info: 0000:00:05.0
      supports-statistics: yes
      supports-test: no
      supports-eeprom-access: no
      supports-register-dump: no
      supports-priv-flags: no

      Version-Release number of selected component (if applicable):

          OCP: 4.14.9
      ingress firewall operator: 4.14.0-202401151553 

      How reproducible:

          100% and also on 4.13

      Steps to Reproduce:

      follow the docs to install and test the operator.

      Actual results:

          the error shown above

      Expected results:

          firewall rules are applied.

      Additional info:


            mcurry@redhat.com Marc Curry
            rhn-gps-rspazzol Raffaele Spazzoli
            Anurag Saxena Anurag Saxena
            0 Vote for this issue
            7 Start watching this issue