ICMP errors generated by tracked flows treated as related traffic #2247
Commits on Apr 15, 2020
-
-
-
bpf: icmp_skb_get_hdr() returns the icmp header
Can be reused in other locations.
-
-
bpf: ut for NAT related from the host
This is a prerequisite for letting host to handle TTL exceeded.
-
fv: allow creating inactive workloads
Sets up endpoints, routes etc, but does not run
-
fv: allow to start inactive workload
to complement the fact that we can create an inactive workload
-
-
bpf/fv: fix the IP size in makeICMPError() and test ports
Check that the ports are fixed up after NATing the ICMP related back
-
-
bpf: tunneling from host and csum of icmp related
Needs to update csum in the inner IP header instead of the outer. When icmp generated by the next hop node, it needs to be placed in the tunnel.
Commits on Apr 16, 2020
-
fv: tcpdump fails test if it never listened
This is triggered by missing tcpdump or bad filter
-
fv: tcpdump for containers without tcpdump installed
only felix-test image has tcpdump installed, extrnal client has not
-
bpf: nodeports and icmp related
if SNAT, we also need to fix up the source in the outer IP FV tests when ICMP is returned from host and from the backing workload
-
-
bpf: SNAT of outer IP only if returning to outer client
When we generate an ICMP in a workload or at a host in response to traffic that originated through a NP tunnel ammend the outer source IP as if the reponse was from the original node as all the rest is internal to the cluster.
-
-
Commits on Apr 17, 2020
-
-
bpf: icmp related retunign from tunnel is fwd approved
We need to treat related ICMP from tunnel the same way as we do the original traffic, otherwise it would go through the conntrack on the way out and would create ICMP tracking record.