Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BPF] Conntrack entry cleaned up by TCP RSTs with unexpected sequence numbers #9605

Open
ioworker0 opened this issue Dec 15, 2024 · 1 comment
Open

[BPF] Conntrack entry cleaned up by TCP RSTs with unexpected sequence numbers #9605

ioworker0 opened this issue Dec 15, 2024 · 1 comment
Labels
area/bpf eBPF Dataplane issues impact/high kind/bug likelihood/low

Comments

@ioworker0
Copy link

ioworker0 commented Dec 15, 2024
edited
Loading

In eBPF mode, there is an issue where TCP RSTs with unexpected sequence numbers can trigger conntrack state to be torn down. In turn the conntrack entry will be cleaned up (on a 10s timer) so after that the TCP flow will die. However, the flow should have remained alive because the kernel on the receiving side will drop/discard out-of-window RSTs.

Perhaps, we need to find a way to adjust the conntrack tracking to drop/discard out-of-window RSTs, similar to how the kernel does, ensuring that the conntrack entry would survive.

BTW, everything is working as expected in iptables mode, as out-of-window TCP RSTs have no impact on conntrack entries and will be dropped by iptables.

It's related to https://calicousers.slack.com/archives/CUKP5S64R/p1734009200633879

Your Environment

  • Calico version: v3.27.3
  • Calico dataplane: eBPF
@ioworker0
Copy link
Author

CC @tomastigera @fasaxc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/bpf eBPF Dataplane issues impact/high kind/bug likelihood/low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ioworker0 @tomastigera