Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automated backport of #3187: Fix error deleting TCPMSS clamp rule in route agent #3190

Conversation

tpantelis
Copy link
Contributor

Backport of #3187 on release-0.18.

#3187: Fix error deleting TCPMSS clamp rule in route agent

For details on the backport process, see the backport requests page.

This warning was observed on route agent restart:

2024-10-15T18:30:34.752Z WRN ..etfilter/adapter.go:120 Packetfilter
Unable to delete rule "packetfilter.Rule{Action: MSS,
SrcCIDR: 172.31.0.0/16}" from table "Filter", chain
"SUBMARINER-FWD-MSSCLAMP": error deleting rule "-s 172.31.0.0/16
-j TCPMSS" from table "filter", chain "SUBMARINER-FWD-MSSCLAMP":
running [/usr/sbin/iptables -t filter -D SUBMARINER-FWD-MSSCLAMP
-s 172.31.0.0/16 -j TCPMSS --wait 5]: exit status 2: iptables
v1.8.8 (nf_tables): TCPMSS target:
At least one parameter is required
Try `iptables -h' or 'iptables --help' for more information.

The problem is that we're not specifying either "--clamp-mss-to-pmtu"
or "--set-mss" after "-j TCPMSS". This is due to incorrect parsing
of the rule string returned from the iptables command. We're
expecting "-p tcp -m tcp --tcp-flags SYN,RST SYN" to be right after
"-j TCPMSS" the same as we write it out when appeneding but iptables
returns the parameters in a different order with "--clamp-mss-to-pmtu"
or "--set-mss" right after "-j TCPMSS", eg

  "-p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1500"

So we miss parsing the TCPMSS parameter and thus don't set the
MssClampType field correctly.

Modify the parsing to handle the parameters in any order.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@submariner-bot
Copy link
Contributor

🤖 Created branch: z_pr3190/tpantelis/automated-backport-of-#3187-upstream-release-0.18
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

@tpantelis tpantelis requested a review from aswinsuryan October 17, 2024 20:44
@tpantelis tpantelis added the ready-to-test When a PR is ready for full E2E testing label Oct 18, 2024
@tpantelis tpantelis merged commit 223468f into submariner-io:release-0.18 Oct 18, 2024
44 checks passed
@submariner-bot
Copy link
Contributor

🤖 Closed branches: [z_pr3190/tpantelis/automated-backport-of-#3187-upstream-release-0.18]

@Jaanki Jaanki mentioned this pull request Oct 28, 2024
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automated-backport ready-to-test When a PR is ready for full E2E testing
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants