Fix: Next-Hop MTU in ICMPv4 "Fragmentation Needed" Packets#12830
Open
copybara-service[bot] wants to merge 1 commit intomasterfrom
Open
Fix: Next-Hop MTU in ICMPv4 "Fragmentation Needed" Packets#12830copybara-service[bot] wants to merge 1 commit intomasterfrom
copybara-service[bot] wants to merge 1 commit intomasterfrom
Conversation
Fixes #12568 ### Problem - When gVisor sends an ICMPv4 “Fragmentation Needed” message (Type 3, Code 4), it was leaving the Next-Hop MTU field as 0. - According to RFC 1191, this field must contain the MTU of the next-hop link. Sending 0 is incorrect. ### Impact - When a Linux host receives a Fragmentation Needed message with MTU set to 0, it falls back to an old default value from the RFC plateau table. In practice, this results in the system caching an MTU of 552 bytes. - That causes connections to containers behind gVisor to degrade significantly, especially for larger packets. It can also create long-lived MTU locks in the routing cache, which impacts performance to external services like GitHub. ### Root cause **In the IPv4 forwarding path**: If a packet: - Has the Don’t Fragment bit set - Exceeds the outgoing link MTU gVisor correctly generates an ICMP Destination Unreachable with Code 4. However, while constructing the ICMP header, it never sets the Next-Hop MTU field using icmpHdr.SetMTU(). As a result, the MTU remains 0. The method to set it already exists. It just wasn’t being used. ### What this change does 1. Introduces a new ICMP reason type that carries the next-hop MTU value. 2. Updates sendICMPv4 to: - Set the correct ICMP code for Fragmentation Needed. - Populate the MTU field with the actual link MTU. - Safely cap it to uint16 maximum. 3. Updates the forwarding path to pass the correct MTU when generating the ICMP error. ### Result Now, when a packet is too large and cannot be forwarded: - gVisor correctly includes the actual next-hop MTU in the ICMP response. - Hosts update their Path MTU properly. - No fallback to 552 bytes. - No unnecessary performance degradation. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12634 from pawannn:master 2067f61 PiperOrigin-RevId: 892405056
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: Next-Hop MTU in ICMPv4 "Fragmentation Needed" Packets
Fixes #12568
Problem
Impact
Root cause
In the IPv4 forwarding path:
If a packet:
gVisor correctly generates an ICMP Destination Unreachable with Code 4.
However, while constructing the ICMP header, it never sets the Next-Hop MTU field using icmpHdr.SetMTU(). As a result, the MTU remains 0.
The method to set it already exists. It just wasn’t being used.
What this change does
Result
Now, when a packet is too large and cannot be forwarded:
FUTURE_COPYBARA_INTEGRATE_REVIEW=#12634 from pawannn:master 2067f61