From 69f8191921c65fc1b75b7ab24ba361a64d501d5c Mon Sep 17 00:00:00 2001 From: "Steven E. Harris" Date: Tue, 30 Aug 2022 14:26:52 -0400 Subject: [PATCH] Calico: Work around host port/conntrack problem In Calico's released versions, when using the eBPF data plane, containers using host ports cannot respond to connection attempts correctly. These container receive the packets from the client forwarded after DNAT, but when they reply, there is no conntrack entry for the would-be connection, so netfilter drops the reply packets, preventing the connection from completing. The client never receives the reply packets. The conntrack entry is missing because Calico mistakenly attempts to optimize it away. Work around the problem by disabling the Calico Felix program's "BPFHostConntrackBypass" feature. This is a temporary measure until the Calico maintainers can improve this feature to better handle host port traffic, preserving these conntrack entries as intended. --- .../networking.projectcalico.org/k8s-1.22.yaml.template | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.22.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.22.yaml.template index fc4d1475a3..b1977d33ae 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.22.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.22.yaml.template @@ -4705,6 +4705,12 @@ spec: # Controls the log level used by the BPF programs - name: FELIX_BPFLOGLEVEL value: "{{- or .Networking.Calico.BPFLogLevel "Off" }}" + # Temporary workaround for https://github.com/projectcalico/calico/issues/6522, + # allowing reply packets from containers using host ports to flow through DNAT reversal properly. + {{- if .Networking.Calico.BPFEnabled }} + - name: FELIX_BPFHostConntrackBypass + value: "false" + {{- end }} # Controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom - name: FELIX_CHAININSERTMODE value: "{{- or .Networking.Calico.ChainInsertMode "insert" }}"