Add error logging for that Antrea network's MTU exceeds Suricata's maximum supported value #5408
Conversation
hongliangl
force-pushed
the
20230818-fix-l7-mtu
branch
from
96fe555 to
9b14172
Compare
antoninbas
added
kind/cherry-pick
|
/test-all |
antoninbas
added
the
action/release-note
What does it mean? I saw the bug was because one interface used 1500 while the other used 65485, neither of which seems not the minimum MTU of OVS ports. |
For example, there are two ports connected to the OVS:
When creating an OVS internal port
If a port
I'm not sure what happened during creating the OVS internal ports for L7 NetworkPolicy, which results in the fact that the ports for L7 NetworkPolicy have different MTU values, but I think the issue that they have different MTU values can be fixed by specifying MTU value when creating them or modifying them at every Antrea startup. |
|
Aren't the MTUs of Pod interface and antrea-gw0 already set to 1500 or 1450? In which case they will be 65485? I understand setting suricata interfaces's MTU explicitly is right thing to do, but I don't understand the root cause of the issue. |
MTU 65485 is set on @tushartathgur local testbed when I had a live debugging with him last time. I saw that the MTU of every port connected to OVS is 65485, including |
|
Could you test if setting the MTU explicitly to the same MTU as Pod can fix the issue on a Node with MTU > 1500? From the issue report, I can't tell if it crashed because inconsistent MTU of MTU larger than 1500. |
OK |
After investigation, I found that the crash was caused by the MTU 65485. According to the error log /* Compute structure:
Target is to store all pending packets
with a size equal to MTU + auxdata
And we keep a decent number of block
To do so:
Compute frame_size (aligned to be able to fit in block
Check which block size we need. Blocksize is a 2^n * pagesize
We then need to get order, big enough to have
frame_size < block size
Find number of frame per block (divide)
Fill in packet_req
Compute frame size:
described in packet_mmap.txt
dependant on snaplen (need to use a variable ?)
snaplen: MTU ?
tp_hdrlen determine_version in daq_afpacket
in V1: sizeof(struct tpacket_hdr);
in V2: val in getsockopt(instance->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len)
frame size: TPACKET_ALIGN(snaplen + TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
*/
int tp_hdrlen = sizeof(struct tpacket_hdr);
int snaplen = default_packet_size;
if (snaplen == 0) {
snaplen = GetIfaceMaxPacketSize(ptv->iface);
if (snaplen <= 0) {
SCLogWarning(SC_ERR_INVALID_VALUE,
"Unable to get MTU, setting snaplen to sane default of 1514");
snaplen = 1514;
}
}
ptv->req.v2.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
ptv->req.v2.tp_block_size = getpagesize() << order;
int frames_per_block = ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size;
if (frames_per_block == 0) {
SCLogError(SC_ERR_INVALID_VALUE, "Frame size bigger than block size");
return -1;
}According to the code:
|
hongliangl
force-pushed
the
20230818-fix-l7-mtu
branch
4 times, most recently
from
0a42524 to
4740a2a
Compare
The MTU of OVS ports for L7 NetworkPolicy should be set to the calculated MTU value according to traffic mode at every startup. For example, before this commit, assuming that feature gate L7NetworkPolicy is enabled in encap mode, then the OVS ports for L7 NetworkPolicy will be created and their MTU is 1420. If the traffic mode is changed to noEncap, the MTU of the OVS ports is still 1420. However, the MTU of Pods ports and Antrea local gateway port is 1500 right now. Besides, when creating the L7 NetworkPolicy ports for the first time in a Node, without specifying the MTU value, the minimum MTU value from all OVS ports will be used. From above, we can see that the MTU value might be smaller than the MTU calculated by Antrea which is used in Antrea local gateway port and Pod ports, which results in the unavailability of L7 NetworkPolicy if the size of packet is greater than the value of L7 NetworkPolicy port MTU. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
force-pushed
the
20230818-fix-l7-mtu
branch
from
4740a2a to
3cebf05
Compare
|
/skip-all |
|
@hongliangl I suppose the commit message and the PR description is out-of-date? Could you update the PR description which I will use as commit message. |
hongliangl
changed the title
Added |
|
Removing |
Fixes: #5398
When the MTU value of Antrea network is greater than the maximum supported MTU by
Suricata, which is used as L7 NetworkPolicy engine in Antrea. It may fail to start.
Currently, assuming that the page size is 4096, the maximum supported MTU by Suricata
is 32678 according to Suricata source code at
https://github.com/OISF/suricata/blob/49713ebaa0b8edb057d60f1cfe9126946645a848/src/source-af-packet.c#L1757C2-L1777C129.
This commit adds an error logging to warn users about that.
Signed-off-by: Hongliang Liu [email protected]