Skip to content

Commit f301e3e

Browse files
smirasmira
committed
fix: update KubeSpan MSS clamping
Subtract 12 bytes more from the MTU to build correct MSS clamping for TCP. Linux by default adds TCP options (timestamps, etc.) which seems to occupy 12 bytes (3 options). This zeroes out TCP retransmissions on `iperf3` testing with KubeSpan, but has no effect on throughput. Fixes #12311 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
1 parent 74c1df6 commit f301e3e

File tree

4 files changed

+18
-10
lines changed

4 files changed

+18
-10
lines changed

internal/app/machined/pkg/adapters/network/network.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,11 @@
44

55
// Package network implements adapters wrapping resources/network to provide additional functionality.
66
package network
7+
8+
// MSS calculation constants.
9+
const (
10+
IPv4HeaderLen = 20 // IPv4 fixed header length
11+
IPv6HeaderLen = 40 // IPv6 fixed header length
12+
TCPHeaderLen = 20 // fixed TCP header length, without options
13+
TCPOptionsLen = 12 // assuming typical options like SACK, timestamps, etc. used by default in Linux
14+
)

internal/app/machined/pkg/adapters/network/nftables_rule.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -584,9 +584,9 @@ func (a nftablesRule) Compile() (*NfTablesCompiled, error) {
584584

585585
switch family { //nolint:exhaustive
586586
case nftables.TableFamilyIPv4:
587-
mss = mtu - 40 // TCP + IPv4 overhead
587+
mss = mtu - (IPv4HeaderLen + TCPHeaderLen + TCPOptionsLen) // TCP + IPv4 overhead
588588
case nftables.TableFamilyIPv6:
589-
mss = mtu - 60 // TCP + IPv6 overhead
589+
mss = mtu - (IPv6HeaderLen + TCPHeaderLen + TCPOptionsLen) // TCP + IPv6 overhead
590590
default:
591591
panic("unexpected IP family")
592592
}

internal/app/machined/pkg/adapters/network/nftables_rule_test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -427,11 +427,11 @@ func TestNfTablesRuleCompile(t *testing.T) { //nolint:tparallel
427427
&expr.Cmp{
428428
Op: expr.CmpOpGt,
429429
Register: 1,
430-
Data: []byte{0x04, 0xd8},
430+
Data: []byte{0x04, 0xcc},
431431
},
432432
&expr.Immediate{
433433
Register: 1,
434-
Data: []byte{0x04, 0xd8},
434+
Data: []byte{0x04, 0xcc},
435435
},
436436
&expr.Exthdr{
437437
SourceRegister: 1,
@@ -485,11 +485,11 @@ func TestNfTablesRuleCompile(t *testing.T) { //nolint:tparallel
485485
&expr.Cmp{
486486
Op: expr.CmpOpGt,
487487
Register: 1,
488-
Data: []byte{0x04, 0xc4},
488+
Data: []byte{0x04, 0xb8},
489489
},
490490
&expr.Immediate{
491491
Register: 1,
492-
Data: []byte{0x04, 0xc4},
492+
Data: []byte{0x04, 0xb8},
493493
},
494494
&expr.Exthdr{
495495
SourceRegister: 1,

internal/app/machined/pkg/controllers/network/nftables_chain_test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -365,14 +365,14 @@ func (s *NfTablesChainSuite) TestClampMSS() {
365365
s.checkNftOutput(`table inet talos-test {
366366
chain test1 {
367367
type filter hook input priority filter; policy accept;
368-
meta nfproto ipv4 tcp flags syn / syn,rst tcp option maxseg size > 1380 tcp option maxseg size set 1380
369-
meta nfproto ipv6 tcp flags syn / syn,rst tcp option maxseg size > 1360 tcp option maxseg size set 1360
368+
meta nfproto ipv4 tcp flags syn / syn,rst tcp option maxseg size > 1368 tcp option maxseg size set 1368
369+
meta nfproto ipv6 tcp flags syn / syn,rst tcp option maxseg size > 1348 tcp option maxseg size set 1348
370370
}
371371
}`, `table inet talos-test {
372372
chain test1 {
373373
type filter hook input priority filter; policy accept;
374-
meta nfproto ipv4 tcp flags & (syn | rst) == syn tcp option maxseg size > 1380 tcp option maxseg size set 1380
375-
meta nfproto ipv6 tcp flags & (syn | rst) == syn tcp option maxseg size > 1360 tcp option maxseg size set 1360
374+
meta nfproto ipv4 tcp flags & (syn | rst) == syn tcp option maxseg size > 1368 tcp option maxseg size set 1368
375+
meta nfproto ipv6 tcp flags & (syn | rst) == syn tcp option maxseg size > 1348 tcp option maxseg size set 1348
376376
}
377377
}`)
378378
}

0 commit comments

Comments
 (0)