Calico: Work around host port/conntrack problem

In Calico's released versions, when using the eBPF data plane, containers using host ports cannot respond to connection attempts correctly. These container receive the packets from the client forwarded after DNAT, but when they reply, there is no conntrack entry for the would-be connection, so netfilter drops the reply packets, preventing the connection from completing. The client never receives the reply packets. The conntrack entry is missing because Calico mistakenly attempts to optimize it away. Work around the problem by disabling the Calico Felix program's "BPFHostConntrackBypass" feature. This is a temporary measure until the Calico maintainers can improve this feature to better handle host port traffic, preserving these conntrack entries as intended.
2022-08-30 14:26:52 -04:00 · 2022-08-30 14:26:52 -04:00 · 69f8191921
parent 5710b1ef2e
commit 69f8191921
1 changed files with 6 additions and 0 deletions
--- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.22.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.22.yaml.template
@ -4705,6 +4705,12 @@ spec:
            # Controls the log level used by the BPF programs
            - name: FELIX_BPFLOGLEVEL
              value: "{{- or .Networking.Calico.BPFLogLevel "Off" }}"
+            # Temporary workaround for https://github.com/projectcalico/calico/issues/6522,
+            # allowing reply packets from containers using host ports to flow through DNAT reversal properly.
+            {{- if .Networking.Calico.BPFEnabled }}
+            - name: FELIX_BPFHostConntrackBypass
+              value: "false"
+            {{- end }}
            # Controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom
            - name: FELIX_CHAININSERTMODE
              value: "{{- or .Networking.Calico.ChainInsertMode "insert" }}"