Clarification on outbound-transport-mode

Linkerd General Discussion
,
1

Hello,

with edge release 25.3.2 linkerd changed the default for outbound-transport-mode to transport-header, which will result in all traffic between meshed proxies flowing on port 4143, rather than using the original destination port.

This change took us by surprise after updateing to 25.4.4, as network policies with filters on specific TCP-ports were blocking traffic between pods after the update. Another thing we’ve noticed after the update were a lot of linkerd-proxy log lines with messages like this (though this had no noticeable effect on the applications):

[105348.358590s] INFO ThreadId(01) inbound: linkerd_app_core::serve: Connection closed error=read header from client timeout client.addr=172.24.24.79:34950 server.addr=172.24.5.148:8080

I would like to better understand the motivation behind setting the default outbound transport mode now to ‘transport-header’, but I haven’t been able to find any documentation on the two different modes. Is outbound-transport-mode=tranparent now considered a legacy feature (as it appeared in discussions in feat(destination): introduce transport-protocol outbound TLS mode by sfleen · Pull Request #13699 · linkerd/linkerd2 · GitHub) or will this mode be available in the long term?

Thanks

Christian

2

We changed the default transport mode mostly because it narrows the scope of what the proxy needs to understand for incoming connections. Previously the Linkerd proxy needed to be able to differentiate mTLS connections from cleartext sometimes; it doesn’t need to do that any more, which simplifies things. transparent mode is expected to be available for the foreseeable future as a thing you can explicitly enable.

I’m checking on the log lines – how often are you seeing those?

3

Hi,
thanks for the reply. Regarding the log lines I was able to make a deeper analysis.
The message apears in the linkerd-proxy log of the http server when a client makes a http request and keeps the connection open. If the tcp connection isn’t closed after 30 seconds linkerd-proxy prints out the line. I have tried setting “config.linkerd.io/close-wait-timeout” to “1m” but that doesn’t seem the be the right parameter.