Skip to content

Commit ee0940b

Browse files
rkojedzinszkyaauren
rkojedzinszky
authored and
aauren
committed
fix(dsr): set TCPMSS based on address family
1 parent b56e3dd commit ee0940b

File tree

2 files changed

+18
-13
lines changed

2 files changed

+18
-13
lines changed

pkg/controllers/proxy/network_services_controller.go

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@ import (
2424
"github.com/coreos/go-iptables/iptables"
2525
"github.com/moby/ipvs"
2626
"github.com/vishvananda/netlink"
27+
"golang.org/x/net/ipv4"
28+
"golang.org/x/net/ipv6"
2729
v1 "k8s.io/api/core/v1"
2830
discoveryv1 "k8s.io/api/discovery/v1"
2931
"k8s.io/client-go/kubernetes"
@@ -104,6 +106,8 @@ const (
104106
tunnelInterfaceType = "tunnel"
105107

106108
gracefulTermServiceTickTime = 5 * time.Second
109+
110+
tcpHeaderMinLen = 20
107111
)
108112

109113
// NetworkServicesController enables local node as network service proxy through IPVS/LVS.
@@ -147,7 +151,7 @@ type NetworkServicesController struct {
147151
gracefulTermination bool
148152
syncChan chan int
149153
dsr *dsrOpt
150-
dsrTCPMSS int
154+
mtu int
151155

152156
iptablesCmdHandlers map[v1.IPFamily]utils.IPTablesHandler
153157
ipSetHandlers map[v1.IPFamily]utils.IPSetHandler
@@ -1537,14 +1541,17 @@ func changedIpvsSchedFlags(svc *ipvs.Service, s schedFlags) bool {
15371541
}
15381542

15391543
// setupMangleTableRule: sets up iptables rule to FWMARK the traffic to external IP vip
1540-
func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol string, port string, fwmark string,
1541-
tcpMSS int) error {
1544+
func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol string, port string,
1545+
fwmark string) error {
15421546
var iptablesCmdHandler utils.IPTablesHandler
1547+
tcpMSS := nsc.mtu
15431548
parsedIP := net.ParseIP(ip)
15441549
if parsedIP.To4() != nil {
15451550
iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv4Protocol]
1551+
tcpMSS -= 2*ipv4.HeaderLen + tcpHeaderMinLen
15461552
} else {
15471553
iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv6Protocol]
1554+
tcpMSS -= 2*ipv6.HeaderLen + tcpHeaderMinLen
15481555
}
15491556

15501557
args := []string{"-d", ip, "-m", protocol, "-p", protocol, "--dport", port, "-j", "MARK", "--set-mark", fwmark}
@@ -1592,13 +1599,16 @@ func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol s
15921599
}
15931600

15941601
func (nsc *NetworkServicesController) cleanupMangleTableRule(ip string, protocol string, port string,
1595-
fwmark string, tcpMSS int) error {
1602+
fwmark string) error {
15961603
var iptablesCmdHandler utils.IPTablesHandler
1604+
tcpMSS := nsc.mtu
15971605
parsedIP := net.ParseIP(ip)
15981606
if parsedIP.To4() != nil {
15991607
iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv4Protocol]
1608+
tcpMSS -= 2*ipv4.HeaderLen + tcpHeaderMinLen
16001609
} else {
16011610
iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv6Protocol]
1611+
tcpMSS -= 2*ipv6.HeaderLen + tcpHeaderMinLen
16021612
}
16031613

16041614
args := []string{"-d", ip, "-m", protocol, "-p", protocol, "--dport", port, "-j", "MARK", "--set-mark", fwmark}
@@ -2026,11 +2036,8 @@ func NewNetworkServicesController(clientset kubernetes.Interface,
20262036
if err != nil {
20272037
return nil, err
20282038
}
2029-
// Sets it to 60 bytes less than the auto-detected MTU to account for additional ip-ip headers needed for DSR, above
2030-
// method GetMTUFromNodeIP() already accounts for the overhead of ip-ip overlay networking, so we need to
2031-
// remove 60 bytes (internet headers and additional ip-ip because MTU includes internet headers. MSS does not.)
2032-
// This needs also a condition to deal with auto-mtu=false
2033-
nsc.dsrTCPMSS = automtu - utils.IPInIPHeaderLength*3
2039+
// Store MTU only. Code setting MSS will handle address family, and calculate correct MSS.
2040+
nsc.mtu = automtu
20342041

20352042
nsc.podLister = podInformer.GetIndexer()
20362043

pkg/controllers/proxy/service_endpoints_sync.go

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -566,8 +566,7 @@ func (nsc *NetworkServicesController) setupExternalIPForDSRService(svcIn *servic
566566
externalIPServiceID := fmt.Sprint(fwMark)
567567

568568
// ensure there is iptables mangle table rule to FWMARK the packet
569-
err = nsc.setupMangleTableRule(externalIP.String(), svcIn.protocol, strconv.Itoa(svcIn.port), externalIPServiceID,
570-
nsc.dsrTCPMSS)
569+
err = nsc.setupMangleTableRule(externalIP.String(), svcIn.protocol, strconv.Itoa(svcIn.port), externalIPServiceID)
571570
if err != nil {
572571
return fmt.Errorf("failed to setup mangle table rule to forward the traffic to external IP")
573572
}
@@ -858,8 +857,7 @@ func (nsc *NetworkServicesController) cleanupDSRService(fwMark uint32) error {
858857
klog.V(2).Infof("found mangle rule to cleanup: %s", mangleTableRule)
859858

860859
// When we cleanup the iptables rule, we need to pass FW mark as an int string rather than a hex string
861-
err = nsc.cleanupMangleTableRule(ipAddress, proto, strconv.Itoa(port), strconv.Itoa(int(fwMark)),
862-
nsc.dsrTCPMSS)
860+
err = nsc.cleanupMangleTableRule(ipAddress, proto, strconv.Itoa(port), strconv.Itoa(int(fwMark)))
863861
if err != nil {
864862
klog.Errorf("failed to verify and cleanup any mangle table rule to FORWARD the traffic "+
865863
"to external IP due to: %v", err)

0 commit comments

Comments
 (0)