Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Geneve DSR is broken when running w/o BPF masquerade #32189

Open
brb opened this issue Apr 25, 2024 · 2 comments
Open

Geneve DSR is broken when running w/o BPF masquerade #32189

brb opened this issue Apr 25, 2024 · 2 comments
Labels
area/loadbalancing Impacts load-balancing and Kubernetes service implementations feature/dsr Relates to Cilium's Direct-Server-Return feature for KPR. kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.

Comments

@brb
Copy link
Member

brb commented Apr 25, 2024

Encountered on the latest main (stable branches might be affected too):

12:39:59.287274 IP 172.18.0.2.30851 > 172.18.0.1.44148: Flags [S.], seq 736152428, ack 72597045, win 32950, options [mss 1330,sackOK,TS val 1289060956 ecr 1762384254,nop,wscale 7], length 0
12:39:59.287471 IP 172.18.0.3.80 > 172.18.0.1.44148: Flags [.], ack 72597124, win 257, options [nop,nop,TS val 1289060956 ecr 1762384254], length 0
12:39:59.287486 IP 172.18.0.1.44148 > 172.18.0.3.80: Flags [R], seq 72597124, win 0, length 0
12:39:59.494078 IP 172.18.0.2.30851 > 172.18.0.1.44148: Flags [R], seq 736152429, win 0, length 01

The second reply gets wrong src port (should be 30851 instead of 80). Enabling BPF masq fixes the issue.
@brb brb added kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/loadbalancing Impacts load-balancing and Kubernetes service implementations labels Apr 25, 2024
@julianwiedmann
Copy link
Member

julianwiedmann commented Apr 25, 2024
edited

from-overlay is probably missing to consider what's described here for from-netdev traffic (ie where DSR with IP-option would get handled):

cilium/bpf/bpf_host.c

Line 719 in a206965

* second reply from the endpoint to be MASQUERADEd or to be

@julianwiedmann julianwiedmann added the feature/dsr Relates to Cilium's Direct-Server-Return feature for KPR. label Apr 25, 2024
@julianwiedmann
Copy link
Member

This should also cover the same scenario that @giorio94 described in #26407 (comment).

@julianwiedmann julianwiedmann mentioned this issue May 6, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/loadbalancing Impacts load-balancing and Kubernetes service implementations feature/dsr Relates to Cilium's Direct-Server-Return feature for KPR. kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brb @julianwiedmann