Skip to content

Commit a9cd9a1

Browse files
zhaocongqizhaocongqi
authored
fix: udp bad checksum on VXLAN interface (#4639)
Signed-off-by: zcq98 <zhaocongqi_yewu@cmss.chinamobile.com>
1 parent c414e6b commit a9cd9a1

File tree

2 files changed

+6
-0
lines changed

2 files changed

+6
-0
lines changed

dist/images/uninstall.sh

+2
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ iptables -t filter -D FORWARD -m set --match-set ovn40subnets src -j ACCEPT
2222
iptables -t filter -D FORWARD -m set --match-set ovn40services dst -j ACCEPT
2323
iptables -t filter -D FORWARD -m set --match-set ovn40services src -j ACCEPT
2424
iptables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
25+
iptables -t filter -D OUTPUT -p udp -m udp --dport 4789 -j MARK --set-xmark 0x0
2526
iptables -t filter -D OUTPUT -p tcp -m mark ! --mark 0x4000/0x4000 -m set --match-set ovn40services dst -m conntrack --ctstate NEW -j REJECT
2627
iptables -t mangle -D PREROUTING -m comment --comment "kube-ovn prerouting rules" -j OVN-PREROUTING
2728
iptables -t mangle -D POSTROUTING -m comment --comment "kube-ovn postrouting rules" -j OVN-POSTROUTING
@@ -63,6 +64,7 @@ ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets src -j ACCEPT
6364
ip6tables -t filter -D FORWARD -m set --match-set ovn60services dst -j ACCEPT
6465
ip6tables -t filter -D FORWARD -m set --match-set ovn60services src -j ACCEPT
6566
ip6tables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
67+
ip6tables -t filter -D OUTPUT -p udp -m udp --dport 4789 -j MARK --set-xmark 0x0
6668
ip6tables -t filter -D OUTPUT -p tcp -m mark ! --mark 0x4000/0x4000 -m set --match-set ovn60services dst -m conntrack --ctstate NEW -j REJECT
6769
ip6tables -t mangle -D PREROUTING -m comment --comment "kube-ovn prerouting rules" -j OVN-PREROUTING
6870
ip6tables -t mangle -D POSTROUTING -m comment --comment "kube-ovn postrouting rules" -j OVN-POSTROUTING

pkg/daemon/gateway_linux.go

+4
Original file line numberDiff line numberDiff line change
@@ -591,6 +591,7 @@ func (c *Controller) setIptables() error {
591591
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)},
592592
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
593593
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
594+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
594595
// Drop invalid rst
595596
{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn40subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
596597
}
@@ -630,6 +631,7 @@ func (c *Controller) setIptables() error {
630631
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)},
631632
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
632633
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
634+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
633635
// Drop invalid rst
634636
{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn60subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
635637
}
@@ -1135,6 +1137,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
11351137
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)},
11361138
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
11371139
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
1140+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
11381141
}
11391142
v6ObsoleteRules = []util.IPTableRule{
11401143
{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m mark --mark 0x40000/0x40000 -j MASQUERADE`)},
@@ -1168,6 +1171,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
11681171
{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)},
11691172
// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
11701173
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
1174+
{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 4789 -j MARK --set-xmark 0x0`)},
11711175
}
11721176
)
11731177

0 commit comments

Comments
 (0)