fix(dsr): set TCPMSS based on address family

rkojedzinszky · rkojedzinszky · commit 20f3f6ae762c · 2026-01-25T18:38:19.000+01:00
diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
@@ -24,6 +24,8 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/moby/ipvs"
 	"github.com/vishvananda/netlink"
+	"golang.org/x/net/ipv4"
+	"golang.org/x/net/ipv6"
 	v1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
 	"k8s.io/client-go/kubernetes"
@@ -104,6 +106,8 @@ const (
 	tunnelInterfaceType = "tunnel"
 
 	gracefulTermServiceTickTime = 5 * time.Second
+
+	tcpHeaderMinLen = 20
 )
 
 // NetworkServicesController enables local node as network service proxy through IPVS/LVS.
@@ -147,7 +151,7 @@ type NetworkServicesController struct {
 	gracefulTermination bool
 	syncChan            chan int
 	dsr                 *dsrOpt
-	dsrTCPMSS           int
+	mtu                 int
 
 	iptablesCmdHandlers map[v1.IPFamily]utils.IPTablesHandler
 	ipSetHandlers       map[v1.IPFamily]utils.IPSetHandler
@@ -1537,14 +1541,16 @@ func changedIpvsSchedFlags(svc *ipvs.Service, s schedFlags) bool {
 }
 
 // setupMangleTableRule: sets up iptables rule to FWMARK the traffic to external IP vip
-func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol string, port string, fwmark string,
-	tcpMSS int) error {
+func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol string, port string, fwmark string) error {
 	var iptablesCmdHandler utils.IPTablesHandler
+	tcpMSS := nsc.mtu
 	parsedIP := net.ParseIP(ip)
 	if parsedIP.To4() != nil {
 		iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv4Protocol]
+		tcpMSS -= 2*ipv4.HeaderLen + tcpHeaderMinLen
 	} else {
 		iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv6Protocol]
+		tcpMSS -= 2*ipv6.HeaderLen + tcpHeaderMinLen
 	}
 
 	args := []string{"-d", ip, "-m", protocol, "-p", protocol, "--dport", port, "-j", "MARK", "--set-mark", fwmark}
@@ -1592,13 +1598,16 @@ func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol s
 }
 
 func (nsc *NetworkServicesController) cleanupMangleTableRule(ip string, protocol string, port string,
-	fwmark string, tcpMSS int) error {
+	fwmark string) error {
 	var iptablesCmdHandler utils.IPTablesHandler
+	tcpMSS := nsc.mtu
 	parsedIP := net.ParseIP(ip)
 	if parsedIP.To4() != nil {
 		iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv4Protocol]
+		tcpMSS -= 2*ipv4.HeaderLen + tcpHeaderMinLen
 	} else {
 		iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv6Protocol]
+		tcpMSS -= 2*ipv6.HeaderLen + tcpHeaderMinLen
 	}
 
 	args := []string{"-d", ip, "-m", protocol, "-p", protocol, "--dport", port, "-j", "MARK", "--set-mark", fwmark}
@@ -2026,11 +2035,8 @@ func NewNetworkServicesController(clientset kubernetes.Interface,
 	if err != nil {
 		return nil, err
 	}
-	// Sets it to 60 bytes less than the auto-detected MTU to account for additional ip-ip headers needed for DSR, above
-	// method GetMTUFromNodeIP() already accounts for the overhead of ip-ip overlay networking, so we need to
-	// remove 60 bytes (internet headers and additional ip-ip because MTU includes internet headers. MSS does not.)
-	// This needs also a condition to deal with auto-mtu=false
-	nsc.dsrTCPMSS = automtu - utils.IPInIPHeaderLength*3
+	// Store MTU only. Code setting MSS will handle address family, and calculate correct MSS.
+	nsc.mtu = automtu
 
 	nsc.podLister = podInformer.GetIndexer()
 
diff --git a/pkg/controllers/proxy/service_endpoints_sync.go b/pkg/controllers/proxy/service_endpoints_sync.go
@@ -566,8 +566,7 @@ func (nsc *NetworkServicesController) setupExternalIPForDSRService(svcIn *servic
 	externalIPServiceID := fmt.Sprint(fwMark)
 
 	// ensure there is iptables mangle table rule to FWMARK the packet
-	err = nsc.setupMangleTableRule(externalIP.String(), svcIn.protocol, strconv.Itoa(svcIn.port), externalIPServiceID,
-		nsc.dsrTCPMSS)
+	err = nsc.setupMangleTableRule(externalIP.String(), svcIn.protocol, strconv.Itoa(svcIn.port), externalIPServiceID)
 	if err != nil {
 		return fmt.Errorf("failed to setup mangle table rule to forward the traffic to external IP")
 	}
@@ -858,8 +857,7 @@ func (nsc *NetworkServicesController) cleanupDSRService(fwMark uint32) error {
 				klog.V(2).Infof("found mangle rule to cleanup: %s", mangleTableRule)
 
 				// When we cleanup the iptables rule, we need to pass FW mark as an int string rather than a hex string
-				err = nsc.cleanupMangleTableRule(ipAddress, proto, strconv.Itoa(port), strconv.Itoa(int(fwMark)),
-					nsc.dsrTCPMSS)
+				err = nsc.cleanupMangleTableRule(ipAddress, proto, strconv.Itoa(port), strconv.Itoa(int(fwMark)))
 				if err != nil {
 					klog.Errorf("failed to verify and cleanup any mangle table rule to FORWARD the traffic "+
 						"to external IP due to: %v", err)
