Small ICMP fragments dropped by datapath #16036
Labels
kind/bug
This is a bug in the Cilium logic.
kind/question
Frequently asked questions & answers. This issue will be linked from the documentation's FAQ.
pinned
These issues are not marked stale by our issue bot.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
While testing MTU settings with e.g.
ping -s <large>
I noticed that Cilium datapath currently seems to drop (tested rev 0ff85f2) ICMP fragments when the fragment is smaller thansizeof(icmphdr)
due to the ICMP type check in __policy_can_access (https://github.com/cilium/cilium/blob/0ff85f2f9/bpf/lib/policy.h#L117) as the code is not checking whether the packet in question is a fragment and thus might not contain the ICMP header.Would it be worth adding the extra branch to the datapath to fix this edge case?
The text was updated successfully, but these errors were encountered: