From dcda11d6e19d9508ecd4a23f8b41857a9fe81fc4 Mon Sep 17 00:00:00 2001 From: Mengxin Liu Date: Tue, 17 Aug 2021 18:20:57 +0800 Subject: [PATCH] fix: bad udp checksum when access nodeport Similar to https://github.com/flannel-io/flannel/issues/1279, unmark output to bypaas kernel bug and enable checksum for better performance. --- dist/images/install-pre-1.16.sh | 2 +- dist/images/install.sh | 2 +- dist/images/uninstall.sh | 2 ++ pkg/daemon/gateway.go | 4 ++++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/dist/images/install-pre-1.16.sh b/dist/images/install-pre-1.16.sh index d2146f020d4..4c4436e7391 100644 --- a/dist/images/install-pre-1.16.sh +++ b/dist/images/install-pre-1.16.sh @@ -1845,7 +1845,7 @@ spec: - /kube-ovn/start-cniserver.sh args: - --enable-mirror=$ENABLE_MIRROR - - --encap-checksum=false + - --encap-checksum=true - --service-cluster-ip-range=$SVC_CIDR - --iface=${IFACE} - --network-type=$NETWORK_TYPE diff --git a/dist/images/install.sh b/dist/images/install.sh index 44ddadb6fae..2ddf05f3cc7 100755 --- a/dist/images/install.sh +++ b/dist/images/install.sh @@ -1889,7 +1889,7 @@ spec: - /kube-ovn/start-cniserver.sh args: - --enable-mirror=$ENABLE_MIRROR - - --encap-checksum=false + - --encap-checksum=true - --service-cluster-ip-range=$SVC_CIDR - --iface=${IFACE} - --network-type=$NETWORK_TYPE diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh index 516e2e5e950..77d5d4386f3 100644 --- a/dist/images/uninstall.sh +++ b/dist/images/uninstall.sh @@ -14,6 +14,7 @@ iptables -t filter -D FORWARD -m set --match-set ovn40subnets dst -j ACCEPT iptables -t filter -D FORWARD -m set --match-set ovn40subnets src -j ACCEPT iptables -t filter -D FORWARD -m set --match-set ovn40services dst -j ACCEPT iptables -t filter -D FORWARD -m set --match-set ovn40services src -j ACCEPT +iptables -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0 if [ -n "$1" ]; then iptables -t nat -D POSTROUTING ! -s "$1" -m set --match-set ovn40subnets dst -j MASQUERADE @@ -37,6 +38,7 @@ ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets dst -j ACCEPT ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets src -j ACCEPT ip6tables -t filter -D FORWARD -m set --match-set ovn60services dst -j ACCEPT ip6tables -t filter -D FORWARD -m set --match-set ovn60services src -j ACCEPT +ip6tables -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0 if [ -n "$1" ]; then ip6tables -t nat -D POSTROUTING ! -s "$1" -m set --match-set ovn60subnets dst -j MASQUERADE diff --git a/pkg/daemon/gateway.go b/pkg/daemon/gateway.go index 617c63b75aa..99219867d0f 100644 --- a/pkg/daemon/gateway.go +++ b/pkg/daemon/gateway.go @@ -427,6 +427,8 @@ func (c *Controller) setIptables() error { {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40subnets dst -j ACCEPT`)}, {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services src -j ACCEPT`)}, {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)}, + // Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279 + {Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)}, } v6Rules = []util.IPTableRule{ // nat outgoing @@ -448,6 +450,8 @@ func (c *Controller) setIptables() error { {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60subnets dst -j ACCEPT`)}, {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services src -j ACCEPT`)}, {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)}, + // Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279 + {Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)}, } ) protocols := make([]string, 2)