From 0c8bc569305d8836bfa9ccc18b55bc19f9d7c065 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Oliveirinha?= Date: Wed, 12 Jul 2023 10:37:19 +0100 Subject: [PATCH] TUN-7575: Add option to disable PTMU discovery over QUIC This commit implements the option to disable PTMU discovery for QUIC connections. QUIC finds the PMTU during startup by increasing Ping packet frames until Ping responses are not received anymore, and it seems to stick with that PMTU forever. This is no problem if the PTMU doesn't change over time, but if it does it may case packet drops. We add this hidden flag for debugging purposes in such situations as a quick way to validate if problems that are being seen can be solved by reducing the packet size to the edge. Note however, that this option may impact UDP proxying since we expect being able to send UDP packets of 1280 bytes over QUIC. So, this option should not be used when tunnel is being used for UDP proxying. --- cmd/cloudflared/tunnel/cmd.go | 12 ++++++++++++ cmd/cloudflared/tunnel/configuration.go | 1 + supervisor/tunnel.go | 19 +++++++++++-------- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go index a09e5c41..2d092b0c 100644 --- a/cmd/cloudflared/tunnel/cmd.go +++ b/cmd/cloudflared/tunnel/cmd.go @@ -82,6 +82,11 @@ const ( // udpUnregisterSessionTimeout is how long we wait before we stop trying to unregister a UDP session from the edge udpUnregisterSessionTimeoutFlag = "udp-unregister-session-timeout" + // quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size. + // Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size. + // Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets. + quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery" + // uiFlag is to enable launching cloudflared in interactive UI mode uiFlag = "ui" @@ -692,6 +697,13 @@ func tunnelFlags(shouldHide bool) []cli.Flag { Value: 5 * time.Second, Hidden: true, }), + altsrc.NewBoolFlag(&cli.BoolFlag{ + Name: quicDisablePathMTUDiscovery, + EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"}, + Usage: "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.", + Value: false, + Hidden: true, + }), altsrc.NewStringFlag(&cli.StringFlag{ Name: connectorLabelFlag, Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.", diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go index 56e5c12c..8d1fe209 100644 --- a/cmd/cloudflared/tunnel/configuration.go +++ b/cmd/cloudflared/tunnel/configuration.go @@ -240,6 +240,7 @@ func prepareTunnelConfig( PQKexIdx: pqKexIdx, MaxEdgeAddrRetries: uint8(c.Int("max-edge-addr-retries")), UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag), + DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery), } packetConfig, err := newPacketConfig(c, log) if err != nil { diff --git a/supervisor/tunnel.go b/supervisor/tunnel.go index 9052398d..3ba04050 100644 --- a/supervisor/tunnel.go +++ b/supervisor/tunnel.go @@ -70,6 +70,8 @@ type TunnelConfig struct { PacketConfig *ingress.GlobalRouterConfig UDPUnregisterSessionTimeout time.Duration + + DisableQUICPathMTUDiscovery bool } func (c *TunnelConfig) registrationOptions(connectionID uint8, OriginLocalIP string, uuid uuid.UUID) *tunnelpogs.RegistrationOptions { @@ -596,14 +598,15 @@ func (e *EdgeTunnelServer) serveQUIC( } quicConfig := &quic.Config{ - HandshakeIdleTimeout: quicpogs.HandshakeIdleTimeout, - MaxIdleTimeout: quicpogs.MaxIdleTimeout, - KeepAlivePeriod: quicpogs.MaxIdlePingPeriod, - MaxIncomingStreams: quicpogs.MaxIncomingStreams, - MaxIncomingUniStreams: quicpogs.MaxIncomingStreams, - EnableDatagrams: true, - MaxDatagramFrameSize: quicpogs.MaxDatagramFrameSize, - Tracer: quicpogs.NewClientTracer(connLogger.Logger(), connIndex), + HandshakeIdleTimeout: quicpogs.HandshakeIdleTimeout, + MaxIdleTimeout: quicpogs.MaxIdleTimeout, + KeepAlivePeriod: quicpogs.MaxIdlePingPeriod, + MaxIncomingStreams: quicpogs.MaxIncomingStreams, + MaxIncomingUniStreams: quicpogs.MaxIncomingStreams, + EnableDatagrams: true, + MaxDatagramFrameSize: quicpogs.MaxDatagramFrameSize, + Tracer: quicpogs.NewClientTracer(connLogger.Logger(), connIndex), + DisablePathMTUDiscovery: e.config.DisableQUICPathMTUDiscovery, } quicConn, err := connection.NewQUICConnection(