Analysis of Duplicate UDP Packets in Kubernetes Bridge Mode and Its Resolution

This technical article examines the phenomenon of duplicate UDP packets observed when a client communicates with a pod through a Service in Kubernetes bridge (cbr0) mode. Using the eBPF-based tool skbtracer , the author traces packet flow through the Linux kernel, revealing that enabling promiscuous mode on the bridge causes the kernel to clone packets and forward them both via the bridge forwarding path and the standard IP stack, resulting in duplicate delivery.

The analysis dives into kernel functions such as br_handle_frame_finish and ip_rcv , showing how packet type (PACKET_HOST vs PACKET_OTHERHOST) determines whether the cloned packet is processed further. When the bridge is in promiscuous mode, the cloned packet is passed up to the network stack, leading to two identical packets reaching the destination pod.

To resolve the issue, the author recommends adding an ebtables rule that drops packets originating from the bridge’s MAC address and destined for the pod network, effectively preventing the cloned packet from being delivered twice. The solution is demonstrated to work across different Kubernetes versions, noting that the original kernel patch was merged into Kubernetes master but not propagated to CNI plugins.

Overall, the article provides a clear root‑cause analysis of duplicate packet problems in container networking and offers a practical mitigation strategy using ebtables.