tcplbl3dsrha fail about loxilb HOT 6 CLOSED

Hi @nitzan-tz,
As @UltraInstinct14 mentioned, traffic for undefined rules appears to have resulted in a loop.
If you add an IP address for 20.20.20.1 or add a rule for 20.20.20.1 with ICMP like
loxicmd create lb 20.20.20.1 --icmp --endpoints=56.56.56.1:1,57.57.57.1:1,58.58.58.1:1 --mode dsr --select hash, then it is confirmed that the loop disappears.

Thank you very much for your opinion. Regarding undefined rules, we will consider disabling ICMP redirect in the next release.

from loxilb.

We can have a mode where loxilb can simply blackhole all untrusted traffic.If tcp rule is available, only allow that. All other streams can be blackholed.

from loxilb.

tcplbl3dsrha was a work in progress. However tcplbl3dsrha cicd scenario has been updated after this report. As you correctly pointed , ep3 was not being setup properly. And yes, there was no need to check connectivity to ep1, ep2 ep3. So, now it skips those and checks VIP connectivity directly instead. Also, some code fixes were needed to completely fix this scenario.

Request to update to latest images/scripts and give it a try !! Thanks !!

from loxilb.

Hi,

I cloned the latest branch and delete the docker image before I run the config again

root@554d7e3a98d5:/# loxicmd version 
v0.9.0 2024_01_23-main-3ecac9f

I still see few issues

1. Ping from the user container to the VIP receives ICMP redirect and then there is a routing loop. maybe disable ICMP redirect for the docker container will be good idea

root@554d7e3a98d5:/# tcpdump -nni vlan11  icmp 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan11, link-type EN10MB (Ethernet), capture size 262144 bytes
18:23:28.893097 IP 1.1.1.1 > 20.20.20.1: ICMP echo request, id 13, seq 1, length 64
18:23:28.893175 IP 11.11.11.2 > 1.1.1.1: ICMP redirect 20.20.20.1 to host 11.11.11.254, length 92
18:23:28.893183 IP 1.1.1.1 > 20.20.20.1: ICMP echo request, id 13, seq 1, length 64
18:23:28.893205 IP 1.1.1.1 > 20.20.20.1: ICMP echo request, id 13, seq 1, length 64
18:23:28.893225 IP 1.1.1.1 > 20.20.20.1: ICMP echo request, id 13, seq 1, length 64
18:23:28.893234 IP 1.1.1.1 > 20.20.20.1: ICMP echo request, id 13, seq 1, length 64
18:23:28.893244 IP 1.1.1.1 > 20.20.20.1: ICMP echo request, id 13, seq 1, length 64

2. For application traffic there is a loop as you can see in the attached image. It looks like the loxilb doesn't pick up the packet

3. On r1 you didn't enable ECMP so it has only one path adding "maximum-paths 4" solved it

4144d1e7872d# sh ip route 20.20.20.1/32
Routing entry for 20.20.20.1/32
  Known via "bgp", distance 20, metric 0, best
  Last update 00:00:15 ago
  * 11.11.11.2, via vlan11

4144d1e7872d# conf t
4144d1e7872d(config)# router bgp 65001 
4144d1e7872d(config-router)# maximum-paths 4
4144d1e7872d(config-router)# end
4144d1e7872d# sh ip route 20.20.20.1/32
Routing entry for 20.20.20.1/32
  Known via "bgp", distance 20, metric 0, best
  Last update 00:00:02 ago
  * 11.11.11.2, via vlan11
  * 11.11.11.1, via vlan11

Thanks

Nitzan

from loxilb.

By default, loxilb just serves only "VIP+ServicePort" combination. All other traffic will be ignored. So, ping to 20.20.20.1 is routed via some default route and creates the problem that you mentioned. You can add ip addr add 20.20.20.1/32 dev lo manually to llb1 and llb2 and it should be fine.

from loxilb.

The original issue is considered fixed. Suggestion will be taken up as enhancements in future release.

from loxilb.