From 8661d7d6dd9f49344c276b020b23ea57acb82146 Mon Sep 17 00:00:00 2001 From: Miguel Angel Ajo Date: Mon, 14 Dec 2020 14:58:31 +0100 Subject: [PATCH] Insert MSS clamping for traffic arriving services OVN load balancing does not propagate fragment ICMPs down to the services, so when fragmentation becomes necessary the TCP stack of the service pod won't be able to detect this situation. Until this is fixed in OVN this workaround (to be enhanced later) will fix TCP. Fixes-Issue: #1022 Signed-off-by: Miguel Angel Ajo --- .../handlers/ovn/gateway_dataplane.go | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go b/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go index bd05d831b..c75f12dd9 100644 --- a/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go +++ b/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go @@ -3,6 +3,7 @@ package ovn import ( "net" "os" + "strconv" "strings" "github.com/coreos/go-iptables/iptables" @@ -83,16 +84,30 @@ func (ovn *Handler) updateGatewayDataplane() error { return ovn.setupForwardingIptables() } +// TODO: if the #1022 workaround needs to be sustained for some time, instead of this we should be calculating +// the PMTU with a tool like tracepath between the gateway endpoints, reporting back so we can use such +// information here. +const IPTCPOverHead = 40 +const ExpectedIPSECOverhead = 62 +const MSSFor1500MTU = 1500 - IPTCPOverHead - ExpectedIPSECOverhead + func (ovn *Handler) getForwardingRuleSpecs() ([][]string, error) { if ovn.cableRoutingInterface == nil { return nil, errors.New("error setting up forwarding iptables, the cable interface isn't discovered yet, " + "this will be retried") } - return [][]string{ + rules := [][]string{ {"-i", ovnK8sGatewayInterface, "-o", ovn.cableRoutingInterface.Name, "-j", "ACCEPT"}, - {"-i", ovn.cableRoutingInterface.Name, "-o", ovnK8sGatewayInterface, "-j", "ACCEPT"}, - }, nil + {"-i", ovn.cableRoutingInterface.Name, "-o", ovnK8sGatewayInterface, "-j", "ACCEPT"}} + + // NOTE: This is a workaround for submariner issue https://github.com/submariner-io/submariner/issues/1022 + for _, serviceCIDR := range ovn.config.ServiceCidr { + rules = append(rules, []string{"-o", ovnK8sGatewayInterface, "-d", serviceCIDR, "-p", "tcp", + "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--set-mss", strconv.Itoa(MSSFor1500MTU)}) + } + + return rules, nil } func (ovn *Handler) setupForwardingIptables() error {