Insert MSS clamping for traffic arriving services

OVN load balancing does not propagate fragment ICMPs down to the services, so when fragmentation becomes necessary the TCP stack of the service pod won't be able to detect this situation. Until this is fixed in OVN this workaround (to be enhanced later) will fix TCP. Fixes-Issue: #1022 Signed-off-by: Miguel Angel Ajo <[email protected]>
submariner-io · Dec 14, 2020 · 8661d7d · 8661d7d
1 parent 7b19629
commit 8661d7d
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go b/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go
@@ -3,6 +3,7 @@ package ovn
 import (
 	"net"
 	"os"
+	"strconv"
 	"strings"
 
 	"github.com/coreos/go-iptables/iptables"
@@ -83,16 +84,30 @@ func (ovn *Handler) updateGatewayDataplane() error {
 	return ovn.setupForwardingIptables()
 }
 
+// TODO: if the #1022 workaround needs to be sustained for some time, instead of this we should be calculating
+//       the PMTU with a tool like tracepath between the gateway endpoints, reporting back so we can use such
+//		 information here.
+const IPTCPOverHead = 40
+const ExpectedIPSECOverhead = 62
+const MSSFor1500MTU = 1500 - IPTCPOverHead - ExpectedIPSECOverhead
+
 func (ovn *Handler) getForwardingRuleSpecs() ([][]string, error) {
 	if ovn.cableRoutingInterface == nil {
 		return nil, errors.New("error setting up forwarding iptables, the cable interface isn't discovered yet, " +
 			"this will be retried")
 	}
 
-	return [][]string{
+	rules := [][]string{
 		{"-i", ovnK8sGatewayInterface, "-o", ovn.cableRoutingInterface.Name, "-j", "ACCEPT"},
-		{"-i", ovn.cableRoutingInterface.Name, "-o", ovnK8sGatewayInterface, "-j", "ACCEPT"},
-	}, nil
+		{"-i", ovn.cableRoutingInterface.Name, "-o", ovnK8sGatewayInterface, "-j", "ACCEPT"}}
+
+	// NOTE: This is a workaround for submariner issue https://github.com/submariner-io/submariner/issues/1022
+	for _, serviceCIDR := range ovn.config.ServiceCidr {
+		rules = append(rules, []string{"-o", ovnK8sGatewayInterface, "-d", serviceCIDR, "-p", "tcp",
+			"--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--set-mss", strconv.Itoa(MSSFor1500MTU)})
+	}
+
+	return rules, nil
 }
 
 func (ovn *Handler) setupForwardingIptables() error {