Skip to content

[EKS+tunnel] Wrong source address of return packet in host-to-pod #16975

New issue
New issue
Closed
Closed
[EKS+tunnel] Wrong source address of return packet in host-to-pod#16975
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/bugThis is a bug in the Cilium logic.staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
@ti-mo

Description

@ti-mo
ti-mo
opened on Jul 22, 2021

Bug report

General Information

I'm running DNS queries from the Cilium agent pod (192.168.146.198) against CoreDNS running on a remote node. (10.0.1.120) nslookup times out.

13:42:43.672847 IP 192.168.146.198.49128 > 10.0.1.120.53: 11112+ AAAA? jenkins.cilium.io. (35)
13:42:43.673706 IP 192.168.186.218.53 > 192.168.146.198.49128: 11112* 0/1/0 (112)

The reply packet is incorrectly SNATed to the source IP of the other node (192.168.186.218), breaking the connection.

Note that this breaks the FQDN proxy in tunnel mode because DNS lookups are performed from the agent pod.

How to reproduce the issue

  1. Set up EKS cluster
  2. ./cilium install --datapath-mode=tunnel --ipam cluster-pool
  3. Drop into Cilium agent pod and nslookup against a CoreDNS instance on another node.

Possibly related:

After fixing the issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/bugThis is a bug in the Cilium logic.staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions