This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

/assign @danwinship @thockin
/cc @cyclinder

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, danwinship

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/test pull-kubernetes-node-e2e-containerd

/lgtm

LGTM label has been added.

@aroradaman The problem should be the same for proxy-mode=ipvs. No issues, but some comments #74839 (comment).

Should we add this in the ipvs proxier as well?

Um, perhaps not. That would be an incompatible update, and likely break functionality for those who have switched to ipvs to support asymmetric routing. They may suddenly get the DROP unless they have set tcp_be_liberal

@uablrek @aojea @danwinship
(I might be wrong here)

Here, If nf_conntrack_tcp_be_liberal is set we don't install DROP rules for packets marked INVALID but by enabling liberal we are telling conntrack not to mark packets as INVALID.

So this change is a no-op in terms of packet filtering, this is more like an optimization by reducing the number of rules and improving parsing speed?

That would be an incompatible update, and likely break functionality for those who have switched to ipvs to support asymmetric routing. They may suddenly get the DROP unless they have set tcp_be_liberal

ipvs don't need the DROP rule, the admin can set nf_conntrack_tcp_be_liberal by themself, and if #120354 is merged, We can also set it thought kube-proxy.

ipvs don't need the DROP rule

I try to understand why. Am I right that ipvs does the NAT (in masq mode) (figure), and ipvs will do that regardless of any out-of-window problems? In other words, ipvs is always "liberal".

(I might be wrong here)

I think so. There are 2 problems:

1. In unusual situations an out-of-window TCP packet can arrive. It is benign, and not really an error. But since conntrack is considering it INVALID (may be considered a kernel bug), no SNAT is done. See the figure
2. Some K8s deployments setup asymmetric routing, or uses globally unique addresses (GUA) for IPv6 POD addresses, and don't NAT those on outgoing connects

The first problem can be solved either by setting nf_conntrack_tcp_be_liberal (the packet is not considered INVALID), or you can insert a DROP rule for packets marked INVALID.

But inserting a DROP rule, disables asymmetric routing, or using IPv6 GUA addresses for outgoing connects!

Without Antonio's PR, asymmetric routing is simply not possible in proxy-mode=iptables, but with it users can set nf_conntrack_tcp_be_liberal to suspress the DROP rule. Elegant and backward compatible.

IMO this is a very good description (from 2018!)

This is a limitation of conntrack which does not differentiate perfectly legal packets causing TCP window overflow from actually malformed packets (all get treated as INVALID).

@danwinship This may be an argument for upgrading the "limitation" to a kernel bug?

As far as I know, ipvs handles SNAT/DNAT in a separate kernel module(INPUT Chain), but it also relies on conntrack, I'm not sure if there is the same problem. I think yes.

ipvs don't need the DROP rule

I want to say that this PR is for iptables mode to handle the issue of asymmetric routing and keep backward compatibility, while ipvs mode does not require this PR, support for setting the sysctl is enough.

@danwinship This may be an argument for upgrading the "limitation" to a kernel bug?

copying from #117924 (comment):

the bug (at least in the form that we are causing it in our regression test) is fixed in kernel 6.2 6.1 ("netfilter: conntrack: ignore overly delayed tcp packet").