feat: add support for SCTP

[damex]

No description provided.

[aauren]

@damex I've just started testing this one, I may need a bit longer on this one depending on how the testing goes.

[aauren]

Hey @damex when I tried testing this I wasn't able to get an sctp client to talk to an sctp server via a service.

I did notice an error in the kube-router logs:

2026-03-09T02:05:37.779401362Z E0309 02:05:37.779285   19477 service_endpoints_sync.go:92] Error syncing ipvs svc iptables rules to permit traffic to service VIP's: could not save ipset for service firewall: ipset v7.24: Error in line 27: Syntax error: cannot parse 'sctp' as a protocol

This was performed on a host running: Ubuntu 24.04.4 LTS

I applied the following for an SCTP server:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sctp-server
spec:
  replicas: 2
  selector:
    matchLabels:
      app: sctp-server
  template:
    metadata:
      labels:
        app: sctp-server
    spec:
      containers:
      - name: sctp-server
        image: alpine
        command: ["/bin/sh", "-c"]
        args: ["apk add lksctp-tools && sctp_test -H 0.0.0.0 -P 36412 -l"]
        ports:
        - containerPort: 36412
          protocol: SCTP
---
apiVersion: v1
kind: Service
metadata:
  name: sctp-service
spec:
  selector:
    app: sctp-server
  ports:
  - port: 36412
    targetPort: 36412
    protocol: SCTP
  type: ClusterIP

And then for the client I ran:

kubectl run sctp-client --rm -it --image=alpine -- sh
# apk add lksctp-tools
# sctp_test -H 0.0.0.0 -P 0 -h <cluster_ip_from_above> -p 36412 -s

Maybe you could look into this a little deeper?

[damex]

looks like error from alpine side, right?
and on alpine they use... musl?

http://git.musl-libc.org/cgit/musl/tree/src/network/proto.c looks like they don't use /etc/protocols and just hardcode those.

i think either patch musl (patch upstream)... or... would it be acceptable to do protocol by name -> numeric value mapping here?

on a side note - do you think we could add some 'test' so this type of error could be caught next time?

simple check with alpine

damex@foosha:~$ sudo podman run --rm -it --privileged alpine sh
[sudo] password for damex:                                                                                                                                         
/ # cat /etc/os-release 
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.23.3
PRETTY_NAME="Alpine Linux v3.23"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
/ # apk add -q ipset                                                                                                                   
/ # ipset create test hash:ip,port
/ # ipset add test 10.0.0.1,sctp:80
ipset v7.24: Syntax error: cannot parse 'sctp' as a protocol
/ # ipset add test 10.0.0.1,132:80
/ # ipset add test 10.0.0.1,tcp:80
/ # ipset list test
Name: test
Type: hash:ip,port
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x05a2ac93
Size in memory: 312
References: 0
Number of entries: 2
Members:
10.0.0.1,tcp:80
10.0.0.1,132:80
/ # grep sctp /etc/protocols
sctp	132	SCTP		# Stream Control Transmission Protocol

and here is the ubuntu

damex@foosha:~$ sudo podman run --rm -it --privileged ubuntu:24.04 sh
# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.4 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
# apt update 
Get:1 http://archive.ubuntu.com/ubuntu noble InRelease [256 kB]
Get:2 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:3 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [3300 kB]
Get:4 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:5 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:6 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages [1808 kB]
Get:7 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [331 kB]  
Get:8 http://archive.ubuntu.com/ubuntu noble/restricted amd64 Packages [117 kB]
Get:9 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [19.3 MB]  
Get:10 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Packages [34.8 kB]
Get:11 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [1895 kB]
Get:12 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [1260 kB]  
Get:13 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [3486 kB]  
Get:14 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [2025 kB]
Get:15 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [2284 kB]
Get:16 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [38.1 kB]
Get:17 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 Packages [49.5 kB]
Get:18 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [34.6 kB]
Fetched 36.6 MB in 4s (8451 kB/s)                           
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
4 packages can be upgraded. Run 'apt list --upgradable' to see them.
# apt install -y ipset 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  iptables libbsd0 libedit2 libip4tc2 libip6tc2 libipset13 libjansson4 libmnl0 libnetfilter-conntrack3 libnfnetlink0 libnftables1 libnftnl11 libxtables12 netbase
  nftables
Suggested packages:
  firewalld kmod
The following NEW packages will be installed:
  ipset iptables libbsd0 libedit2 libip4tc2 libip6tc2 libipset13 libjansson4 libmnl0 libnetfilter-conntrack3 libnfnetlink0 libnftables1 libnftnl11 libxtables12
  netbase nftables
0 upgraded, 16 newly installed, 0 to remove and 4 not upgraded.
Need to get 1310 kB of archives.
After this operation, 5338 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 libbsd0 amd64 0.12.1-1build1.1 [41.2 kB]
Get:2 http://archive.ubuntu.com/ubuntu noble/main amd64 libmnl0 amd64 1.0.5-2build1 [12.3 kB]
Get:3 http://archive.ubuntu.com/ubuntu noble/main amd64 libxtables12 amd64 1.8.10-3ubuntu2 [35.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu noble/main amd64 netbase all 6.4 [13.1 kB]
Get:5 http://archive.ubuntu.com/ubuntu noble/main amd64 libip4tc2 amd64 1.8.10-3ubuntu2 [23.3 kB]
Get:6 http://archive.ubuntu.com/ubuntu noble/main amd64 libip6tc2 amd64 1.8.10-3ubuntu2 [23.7 kB]
Get:7 http://archive.ubuntu.com/ubuntu noble/main amd64 libnfnetlink0 amd64 1.0.2-2build1 [14.8 kB]
Get:8 http://archive.ubuntu.com/ubuntu noble/main amd64 libnetfilter-conntrack3 amd64 1.0.9-6build1 [45.2 kB]
Get:9 http://archive.ubuntu.com/ubuntu noble/main amd64 libnftnl11 amd64 1.2.6-2build1 [66.0 kB]
Get:10 http://archive.ubuntu.com/ubuntu noble/main amd64 iptables amd64 1.8.10-3ubuntu2 [381 kB]
Get:11 http://archive.ubuntu.com/ubuntu noble/main amd64 libedit2 amd64 3.1-20230828-1build1 [97.6 kB]
Get:12 http://archive.ubuntu.com/ubuntu noble/main amd64 libjansson4 amd64 2.14-2build2 [32.8 kB]
Get:13 http://archive.ubuntu.com/ubuntu noble/main amd64 libnftables1 amd64 1.0.9-1build1 [358 kB]
Get:14 http://archive.ubuntu.com/ubuntu noble/main amd64 nftables amd64 1.0.9-1build1 [69.8 kB]
Get:15 http://archive.ubuntu.com/ubuntu noble/main amd64 libipset13 amd64 7.19-1ubuntu2 [61.5 kB]
Get:16 http://archive.ubuntu.com/ubuntu noble/main amd64 ipset amd64 7.19-1ubuntu2 [32.6 kB]
Fetched 1310 kB in 2s (588 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libbsd0:amd64.
(Reading database ... 4381 files and directories currently installed.)
Preparing to unpack .../00-libbsd0_0.12.1-1build1.1_amd64.deb ...
Unpacking libbsd0:amd64 (0.12.1-1build1.1) ...
Selecting previously unselected package libmnl0:amd64.
Preparing to unpack .../01-libmnl0_1.0.5-2build1_amd64.deb ...
Unpacking libmnl0:amd64 (1.0.5-2build1) ...
Selecting previously unselected package libxtables12:amd64.
Preparing to unpack .../02-libxtables12_1.8.10-3ubuntu2_amd64.deb ...
Unpacking libxtables12:amd64 (1.8.10-3ubuntu2) ...
Selecting previously unselected package netbase.
Preparing to unpack .../03-netbase_6.4_all.deb ...
Unpacking netbase (6.4) ...
Selecting previously unselected package libip4tc2:amd64.
Preparing to unpack .../04-libip4tc2_1.8.10-3ubuntu2_amd64.deb ...
Unpacking libip4tc2:amd64 (1.8.10-3ubuntu2) ...
Selecting previously unselected package libip6tc2:amd64.
Preparing to unpack .../05-libip6tc2_1.8.10-3ubuntu2_amd64.deb ...
Unpacking libip6tc2:amd64 (1.8.10-3ubuntu2) ...
Selecting previously unselected package libnfnetlink0:amd64.
Preparing to unpack .../06-libnfnetlink0_1.0.2-2build1_amd64.deb ...
Unpacking libnfnetlink0:amd64 (1.0.2-2build1) ...
Selecting previously unselected package libnetfilter-conntrack3:amd64.
Preparing to unpack .../07-libnetfilter-conntrack3_1.0.9-6build1_amd64.deb ...
Unpacking libnetfilter-conntrack3:amd64 (1.0.9-6build1) ...
Selecting previously unselected package libnftnl11:amd64.
Preparing to unpack .../08-libnftnl11_1.2.6-2build1_amd64.deb ...
Unpacking libnftnl11:amd64 (1.2.6-2build1) ...
Selecting previously unselected package iptables.
Preparing to unpack .../09-iptables_1.8.10-3ubuntu2_amd64.deb ...
Unpacking iptables (1.8.10-3ubuntu2) ...
Selecting previously unselected package libedit2:amd64.
Preparing to unpack .../10-libedit2_3.1-20230828-1build1_amd64.deb ...
Unpacking libedit2:amd64 (3.1-20230828-1build1) ...
Selecting previously unselected package libjansson4:amd64.
Preparing to unpack .../11-libjansson4_2.14-2build2_amd64.deb ...
Unpacking libjansson4:amd64 (2.14-2build2) ...
Selecting previously unselected package libnftables1:amd64.
Preparing to unpack .../12-libnftables1_1.0.9-1build1_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.9-1build1) ...
Selecting previously unselected package nftables.
Preparing to unpack .../13-nftables_1.0.9-1build1_amd64.deb ...
Unpacking nftables (1.0.9-1build1) ...
Selecting previously unselected package libipset13:amd64.
Preparing to unpack .../14-libipset13_7.19-1ubuntu2_amd64.deb ...
Unpacking libipset13:amd64 (7.19-1ubuntu2) ...
Selecting previously unselected package ipset.
Preparing to unpack .../15-ipset_7.19-1ubuntu2_amd64.deb ...
Unpacking ipset (7.19-1ubuntu2) ...
Setting up libip4tc2:amd64 (1.8.10-3ubuntu2) ...
Setting up libip6tc2:amd64 (1.8.10-3ubuntu2) ...
Setting up libjansson4:amd64 (2.14-2build2) ...
Setting up libmnl0:amd64 (1.0.5-2build1) ...
Setting up libxtables12:amd64 (1.8.10-3ubuntu2) ...
Setting up libipset13:amd64 (7.19-1ubuntu2) ...
Setting up libnfnetlink0:amd64 (1.0.2-2build1) ...
Setting up netbase (6.4) ...
Setting up ipset (7.19-1ubuntu2) ...
Setting up libbsd0:amd64 (0.12.1-1build1.1) ...
Setting up libedit2:amd64 (3.1-20230828-1build1) ...
Setting up libnftnl11:amd64 (1.2.6-2build1) ...
Setting up libnetfilter-conntrack3:amd64 (1.0.9-6build1) ...
Setting up libnftables1:amd64 (1.0.9-1build1) ...
Setting up nftables (1.0.9-1build1) ...
Setting up iptables (1.8.10-3ubuntu2) ...
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-legacy to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/iptables-nft to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-nft to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/arptables-nft to provide /usr/sbin/arptables (arptables) in auto mode
update-alternatives: using /usr/sbin/ebtables-nft to provide /usr/sbin/ebtables (ebtables) in auto mode
Processing triggers for libc-bin (2.39-0ubuntu8.7) ...
# ipset create test hash:ip,port
# ipset add test 10.0.0.1,sctp:80
# ipset list test
Name: test
Type: hash:ip,port
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x1fd9460a
Size in memory: 264
References: 0
Number of entries: 1
Members:
10.0.0.1,sctp:80

[aauren]

Interesting! Yeah I can confirm that I was using the official kube-router which is based on Alpine and seems to confirm what you found.

I would say using the integer mapping should be good enough to make it work everywhere for now and maybe get around the musl quirks.

I can't think of a unit test that would test for this and this repo doesn't really do integration tests for now (although it has been something that @catherinetcai has been thinking about).

[damex]

@aauren added exception/workaround for SCTP ipset handling.
it is based only on protocol being SCTP.
so we do not check if we run on musl to apply the workaround... would that be okay?
only difference is that when one check ipsets - SCTP would be numeric all the time even when it could be named (could be named on glibc).
checking if that's musl will probably require more places to add checks.

well, i can also try to send patch to musl to include 'sctp support' so we could drop this workaround :)

[aauren]

This LGTM thanks for the contribution and for the updates!

I'm sure that musl would appreciate the protocol contribution if you're interested in making it! It seems like a neat project to be a contributor to. 🙂