cilium: BPF NAT engine is not dropping ICMP type 13 (timestamp)
Cilium version
Client: 1.9.90 44382f928 2021-04-27T09:45:08-03:00 go version go1.16.3 linux/amd64
Daemon: 1.9.90 44382f928 2021-04-27T09:45:08-03:00 go version go1.16.3 linux/amd64
Kernel version
Linux k8s1 5.12.0-rc4+ #1 SMP Wed Apr 21 11:28:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Cluster health
Cluster health: 2/2 reachable (2021-04-27T21:39:48Z)
Name IP Node Endpoints
k8s1 (localhost) 192.168.33.11 reachable reachable
k8s2 192.168.33.12 reachable reachable
How to reproduce:
- Run the VM:
NETNEXT=1 VM_CPUS=6 K8S=1 NWORKERS=1 contrib/vagrant/start.sh - Create a pod (e.g. ubuntu) in k8s1+
- Run
hping3 <ip-k8s2+> --icmp --icmp-tsin the pod
The messages should be dropped, but the reply is received
root@ubuntu:/# hping3 192.168.33.12 --icmp --icmp-ts
HPING 192.168.33.12 (eth0 192.168.33.12): icmp mode set, 28 headers + 0 data bytes
len=40 ip=192.168.33.12 ttl=62 id=61849 icmp_seq=0 rtt=1.8 ms
ICMP timestamp: Originate=70862679 Receive=70862681 Transmit=70862681
ICMP timestamp RTT tsrtt=1
len=40 ip=192.168.33.12 ttl=62 id=61979 icmp_seq=1 rtt=505.2 ms
ICMP timestamp: Originate=70863706 Receive=70863709 Transmit=70863709
ICMP timestamp RTT tsrtt=505
len=40 ip=192.168.33.12 ttl=62 id=62121 icmp_seq=2 rtt=12.1 ms
ICMP timestamp: Originate=70864716 Receive=70864719 Transmit=70864719
ICMP timestamp RTT tsrtt=12
len=40 ip=192.168.33.12 ttl=62 id=62220 icmp_seq=3 rtt=3.9 ms
ICMP timestamp: Originate=70865717 Receive=70865720 Transmit=70865720
ICMP timestamp RTT tsrtt=4
len=40 ip=192.168.33.12 ttl=62 id=62257 icmp_seq=4 rtt=6.9 ms
ICMP timestamp: Originate=70866718 Receive=70866721 Transmit=70866721
ICMP timestamp RTT tsrtt=7
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 17 (15 by maintainers)
@brb, yes! I could send a PR with this fix if you confirm the problem. I believe we just need to insert error handle in the
tail_handle_nat_fwd_ipv4.Thanks for spotting this. Initial comments from @borkmann: