Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BPF] Conntrack entry cleaned up by TCP RSTs with unexpected sequence numbers #9605

Open
ioworker0 opened this issue Dec 15, 2024 · 1 comment

Comments

@ioworker0
Copy link
Contributor

ioworker0 commented Dec 15, 2024

In eBPF mode, there is an issue where TCP RSTs with unexpected sequence numbers can trigger conntrack state to be torn down. In turn the conntrack entry will be cleaned up (on a 10s timer) so after that the TCP flow will die. However, the flow should have remained alive because the kernel on the receiving side will drop/discard out-of-window RSTs.

Perhaps, we need to find a way to adjust the conntrack tracking to drop/discard out-of-window RSTs, similar to how the kernel does, ensuring that the conntrack entry would survive.

BTW, everything is working as expected in iptables mode, as out-of-window TCP RSTs have no impact on conntrack entries and will be dropped by iptables.

It's related to https://calicousers.slack.com/archives/CUKP5S64R/p1734009200633879

Your Environment

  • Calico version: v3.27.3
  • Calico dataplane: eBPF
@ioworker0
Copy link
Contributor Author

CC @tomastigera @fasaxc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants