IPv4 fragment handling

By default, Cilium configures the eBPF datapath to perform IP fragment tracking to allow protocols that do not support segmentation (such as UDP) to transparently transmit large messages over the network. IP fragment tracking is implemented in eBPF using an LRU (Least Recently Used) map which requires Linux 4.10 or later. This feature may be configured using the following options:

• --enable-ipv4-fragment-tracking: Enable or disable IPv4 fragment tracking. Enabled by default.
• --bpf-fragments-map-max: Control the maximum number of active concurrent connections using IP fragmentation. For the defaults, see eBPF Maps.

Note

When running Cilium with kube-proxy, fragmented NodePort traffic may break due to a kernel bug where route MTU is not respected for forwarded packets. Cilium fragments tracking requires the first logical fragment to arrive first. Due to the kernel bug, additional fragmentation on the outer encapsulation layer may happen that causes packet reordering and results in a failure in tracking the fragments.

The kernel bug has been fixed and backported to all maintained kernel versions. If you observe connectivity problems, ensure that the kernel package on your nodes has been upgraded recently before reporting an issue.

Note

This is a beta feature. Please provide feedback and file a GitHub issue if you experience any problems.