Skip to content

Commit

Permalink
connectivity: add unknown ICMPv4 code as expected drop reason
Browse files Browse the repository at this point in the history 
ICMP destination unreachable packets are dropped with "Unknown ICMPv4
code" reason when Cilium is configured with both KPR and BPF masquerade
enabled, except that in the fragmentation needed case. Hence, let's add them
to the default list of expected drop reasons, as they can be legitimately
generated for instance when connecting to a NodePort if the corresponding
backend is not yet ready, as in the clustermesh case:

172.18.0.7:35748 (ID:9) <> kube-system/clustermesh-apiserver:32379 (host) from-network FORWARDED (TCP Flags: SYN)
172.18.0.2 (host) <> 172.18.0.7 (ID:9) Unknown ICMPv4 code DROPPED (ICMPv4 DestinationUnreachable(Port))

Otherwise the no-unexpected-packet-drops test fails with:

🟥 Found unexpected packet drops:
{
  "labels": {
    "direction": "EGRESS",
    "reason": "Unknown ICMPv4 code"
  },
  "name": "cilium_drop_count_total",
  "value": 10
}

Signed-off-by: Marco Iorio <[email protected]>
  • Loading branch information
@giorio94 @michi-covalent
giorio94 authored and michi-covalent committed Jan 23, 2024
1 parent d36c5fc commit c1e6ef6
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions defaults/defaults.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@ var (
"Unknown L3 target address",
"No tunnel/encapsulation endpoint (datapath BUG!)",
"Host datapath not ready",
"Unknown ICMPv4 code",
}

ExpectedXFRMErrors = []string{
Expand Down

0 comments on commit c1e6ef6

Please sign in to comment.