missing PBR for the node to send reverse traffic over the tunnel interface

[murali-reddy]

In scenario where node A sends traffic to pod B running on node B, and nodes are in different subnets, a tunnel interfaces are created on both the nodes to send traffic in IPIP tunnels.

So node A:pod B traffic gets encapsulated with outer header as node A:node B, and traffic is sent over tunnel on node A. On node B traffic is decapsulated and send to pod B.

Return traffic from pod which is pod B:node A, without PBR directly gets routed as node A can be reached by node B. This results in martian packets (or RPF failures) as packet arrives on tunnel interface and leaves on different interface.

To prevent this, a PBR is added in table number 77 which basically tells traffic from the pods on the node B to node A should be sent over tunnel interface.

It is observed that in some deployments, PBR added for the node is missing. And annoyingly there is no error also resulted when PBR is added.

		out, err := exec.Command("ip", "route", "list", "table", customRouteTableID).CombinedOutput()
		if err != nil {
			return fmt.Errorf("Failed to verify if route already exists in %s table: %s",
				customRouteTableName, err.Error())
		}
		if !strings.Contains(string(out), tunnelName) {
			if out, err = exec.Command("ip", "route", "add", nexthop.String(), "dev", tunnelName, "table",
				customRouteTableID).CombinedOutput(); err != nil {
				return fmt.Errorf("failed to add route in custom route table, err: %s, output: %s", err, string(out))
			}
		}

So it need to be figured why this is happening , and preventive measure.

[murali-reddy]

Same above scenario applies for the pod in host network tries to access the pod running on node in different subnet.

[murali-reddy]

Fixed in #442