The OVS pipeline: When project Antrea implements the K8s ClusterIP Service (hostNetwork mode) on Windows, it adds flow entries for DNAT and SNAT in OVS pipeline.
The bug can be reproduced when a client on Windows Node curl a Service with endpoint on Linux Node. The client sends packet into OVS pipeline with a port and get the reply from the port. The packet entering OVS pipeline will go through DNAT and SNAT and the reply will go through d-SNAT and d-DNAT. We found that the reply packet on Windows host has incorrect checksum (pseudo checksum) while the checksum is correct on Linux Node.
I attached the wireshark result of the packet captured on the OVS port on Windows host.
aserdean
commented
2 years ago
The OVS pipeline: When project Antrea implements the K8s ClusterIP Service (hostNetwork mode) on Windows, it adds flow entries for DNAT and SNAT in OVS pipeline.
The bug can be reproduced when a client on Windows Node curl a Service with endpoint on Linux Node. The client sends packet into OVS pipeline with a port and get the reply from the port. The packet entering OVS pipeline will go through DNAT and SNAT and the reply will go through d-SNAT and d-DNAT. We found that the reply packet on Windows host has incorrect checksum (pseudo checksum) while the checksum is correct on Linux Node.
I attached the wireshark result of the packet captured on the OVS port on Windows host.
Request: 192.168.251.1 -> 10.110.225.146 (DNAT + SNAT) 169.254.169.253 -> 10.176.26.107
Reply: 10.176.26.107 -> 169.254.169.253 (d-SNAT + d-DNAT) 10.110.225.146 -> 192.168.251.1 <==== checksum is incorrect clusterip2.pcapng.zip