Q: NodePort does not forward SNMP trap packets larger than 1500 bytes

Description

I am setting up an SNMP trap service using NodePort to receive SNMP traps from network devices. However, many of the trap packets sent by these network devices are larger than 1500 bytes and have the DF (Don’t Fragment) flag set, meaning they cannot be fragmented. Unfortunately, the configuration on these network devices cannot be changed.

In our Kubernetes cluster, the MTU (Maximum Transmission Unit) for the node hosts is set to 1500. The NodePort is able to receive UDP packets larger than 1500 bytes with the DF flag, but it doesn’t automatically forward them to the service port. It seems like the packets are being filtered out somewhere in the process.

Question

Where could these packets be getting filtered, and how can this issue be resolved to ensure that the SNMP trap packets are properly forwarded to the service?

Expected behavior

NodePort should correctly forward UDP packets larger than 1500 bytes with the DF flag to the SNMP trap service.

Any advice or suggestions on how to resolve this issue would be greatly appreciated.

Cluster information:

Kubernetes version: v1.22.1
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Ubuntu 20.04
CNI and version: Calico v3.19
CRI and version: containerd v1.4.9

As far as I know, there is nothing in the IP tables. Config that kubernetes itself uses that relates to the MTU. It looks like you’re using calico, which probably also uses IP tables, though also has some ebpf support. I would start with a conversation with calico folks, to see if there’s something particular that they are doing.

I am surprised that you say it will receive large packets, even though the MTU is low. I would not be surprised if there are things that go wrong when you try to do that.

My first bet honestly would be to set the MTU of the host larger and make sure that all the containers also get that MTU.