kubernetes: unidirectional UDP traffic to a NodePort service is not handled properly

What happened: I created a NodePort service listening on UDP to expose my syslog server. When sending traffic to a Nodport on a node that doesn’t contain the pod I can see that the packet is being NATed and forwarded correctly through the tunnel to the node which runs this pod (I’m using Calico as CNI). However, any consecutive packets on same connection/tuple are not being forwarded by the first node and gets dropped by it. I did further research and found out that the pod needs to respond at least once on this connection in order for the first Node to allow more packets from the client on this connection to be forwarded to the pod. looking at conntack: conntrack -L -p UDP --dport 32063 udp 17 28 src=10.175.98.87 dst=10.175.3.82 sport=47909 dport=32063 [UNREPLIED] src=10.10.2.44 dst=10.10.1.1 sport=5514 dport=47909 mark=0 use=1

So it seems that as long as the [UNREPLIED] flag is set all packets from the client (except the first one which created this entry) are being dropped. Syslog as is a unidirectional traffic, and server is not expected to reply with anything so this flow is broken.

What you expected to happen: All packets on same UDP connection hitting the NodePort service to be forwarded and NATed to the correct node and pod (not just the first packet)

How to reproduce it (as minimally and precisely as possible): Send multiple UDP packets on same UDP connection to a NodePort service on a node that doesn’t have the endpoint pod running on it. For example you can use nc to send multiple packets on same UDP connection: nc -p <source_port> -u <destination_ip> <destination_port>

Environment:

  • Kubernetes version (use kubectl version): Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.1", GitCommit:"eec55b9ba98609a46fee712359c7b5b365bdd920", GitTreeState:"clean", BuildDate:"2018-12-13T10:39:04Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.1", GitCommit:"eec55b9ba98609a46fee712359c7b5b365bdd920", GitTreeState:"clean", BuildDate:"2018-12-13T10:31:33Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"linux/amd64"}

  • Cloud provider or hardware configuration: it’s all on-prem

  • OS (e.g. from /etc/os-release): NAME="Ubuntu" VERSION="18.04.1 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.1 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic

  • Kernel (e.g. uname -a): Linux k8s-master 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

/sig network

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 13
  • Comments: 33 (16 by maintainers)

Most upvoted comments

@freehan - why did you close if it wasn’t fixed?

+12
yanivroz on Jun 30, 2019

I just faced this issue and what worked for me was running sudo iptables -P FORWARD ACCEPT on all cluster nodes.

An unrelated comment: Kubeproxy and how it works by default which is using iptables is very problematic and this was the third time that I hit a problem related to kubeproxy and iptables and all of these 3 times it was a nightmare to pinpoint the real problem and even harder to find it on K8s github issues because of all of these stupid bots that are bombarding and closing issues without resolving them. This is exactly like sweeping the trash/problems under the carpet, please stop closing the issues without solving them.

+10
avarf on Nov 6, 2019

We close issues if there is no response for 1 month.

+8
freehan on Jul 19, 2019

open if needed

+7
freehan on Jun 27, 2019

FWIW, we’re seeing the same issue when sending traces to Jaeger.

+3
alecthomas on Mar 7, 2019

@avarf - I am sorry you are having a bad time with it. I want to help, but I’m not sure which issue you’re hitting at this point.

Sadly, there are a lot of different things that COULD be going wrong. I just ran my own attempt at a repro of this and I failed to repro the reported problem. It seems that either ctstate NEW covers “UNREPLIED” or ctstate ESTABLISHED covers it. Either way, I do not see this problem being reproduced.

Let’s take it apart a bit.

if you have no network-policy agent (e.g. calico) { 
  if you have default policy DROP {
    you need a rule or rules somewhere that allows services to work (e.g. `-p udp -j ALLOW`)
  } else /* default policy ALLOW */ {
    you don't need anything
  }
} else /* network policy enabled, I'll assume calico for this */ {
  if you have a network policy defined to allow this flow {
    policy should allow NEW connections and ESTABLISHED
  } else /* no policy defined */ {
    if you have default policy DROP {
      you need a rule or rules somewhere that allows services to work (e.g. `-p udp -j ALLOW`)
    } else /* default policy ALLOW */ {
      you don't need anything
    }
  }
}

My (admittedly manual) testing agrees with this. Here’s what I did.

  • Create a UDP server and watch it’s output (literally nc -l -u -p <port>)
  • Clear UDP conntrack (conntrack -D -p udp)
  • Remove the default allow (iptables -t filter -D FORWARD -p udp -j ACCEPT)
  • Wipe iptables -t filter -F cali-FORWARD
  • UDP client sends data
  • Confirm no packets no conntrack
  • Add an iptables rule to allow NEW (iptables -t filter -A FORWARD -p udp -m conntrack --ctstate NEW -j ACCEPT)
  • Re-run client
  • Confirm packets flow, even over the course of tens of seconds
  • Confirm a conntrack record which is “UNREPLIED”

So please tell me which problem we are facing for you? Even better, let’s open a NEW issue, without the baggage of this one. I need to see a full iptables-save as well as complete details about what’s happening.

+1
thockin on Mar 12, 2020

@skbly7: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/help /unassign

Sorry, I am unable to actively look into this issue right now.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

+1
k8s-ci-robot on Aug 26, 2019

/assign @skbly7

+1
prameshj on Aug 9, 2019

The docs for NEW say “NEW The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.” Sounds like that should match those packets. Has anyone tried adding it to the list of accepted states?

+1
fasaxc on Feb 14, 2019
Read more comments on GitHub
← kubernetes: Unexpected scheduling of replacement Pod upon Pod deletion
kubernetes: Unit Test k8s.io/kubernetes/cmd/genkubedocs fails in ppc64le →