Skip to content

Commit 4ee107a

Browse files
zhaocongqioilbeater
zhaocongqi
authored and
oilbeater
committed
fix: udp bad checksum on VXLAN interface (#4639)
Signed-off-by: zcq98 <zhaocongqi_yewu@cmss.chinamobile.com>
1 parent 4ba576c commit 4ee107a

File tree

2 files changed

+6
-0
lines changed

2 files changed

+6
-0
lines changed

dist/images/uninstall.sh

+2
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ iptables -t filter -D FORWARD -m set --match-set ovn40subnets src -j ACCEPT
2222
iptables -t filter -D FORWARD -m set --match-set ovn40services dst -j ACCEPT
2323
iptables -t filter -D FORWARD -m set --match-set ovn40services src -j ACCEPT
2424
iptables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
25+
iptables -t filter -D OUTPUT -p udp -m udp --dport 4789 -j MARK --set-xmark 0x0
2526
iptables -t filter -D OUTPUT -p tcp -m mark ! --mark 0x4000/0x4000 -m set --match-set ovn40services dst -m conntrack --ctstate NEW -j REJECT
2627
iptables -t mangle -D PREROUTING -m comment --comment "kube-ovn prerouting rules" -j OVN-PREROUTING
2728
iptables -t mangle -D POSTROUTING -m comment --comment "kube-ovn postrouting rules" -j OVN-POSTROUTING
@@ -63,6 +64,7 @@ ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets src -j ACCEPT
6364
ip6tables -t filter -D FORWARD -m set --match-set ovn60services dst -j ACCEPT
6465
ip6tables -t filter -D FORWARD -m set --match-set ovn60services src -j ACCEPT
6566
ip6tables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
67+
ip6tables -t filter -D OUTPUT -p udp -m udp --dport 4789 -j MARK --set-xmark 0x0
6668
ip6tables -t filter -D OUTPUT -p tcp -m mark ! --mark 0x4000/0x4000 -m set --match-set ovn60services dst -m conntrack --ctstate NEW -j REJECT
6769
ip6tables -t mangle -D PREROUTING -m comment --comment "kube-ovn prerouting rules" -j OVN-PREROUTING
6870
ip6tables -t mangle -D POSTROUTING -m comment --comment "kube-ovn postrouting rules" -j OVN-POSTROUTING

pkg/daemon/gateway_linux.go

+4
Original file line numberDiff line numberDiff line change
@@ -556,6 +556,7 @@ func (c *Controller) setIptables() error {
556556
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)},
557557
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
558558
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
559+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
559560
// Drop invalid rst
560561
{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn40subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
561562
}
@@ -595,6 +596,7 @@ func (c *Controller) setIptables() error {
595596
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)},
596597
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
597598
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
599+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
598600
// Drop invalid rst
599601
{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn60subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
600602
}
@@ -1084,6 +1086,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
10841086
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)},
10851087
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
10861088
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
1089+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
10871090
}
10881091
v6ObsoleteRules = []util.IPTableRule{
10891092
{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m mark --mark 0x40000/0x40000 -j MASQUERADE`)},
@@ -1117,6 +1120,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
11171120
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)},
11181121
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
11191122
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
1123+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
11201124
}
11211125
)
11221126

0 commit comments

Comments
 (0)