Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loader: don't disable rp-filter for IPsec #32546

Merged
merged 1 commit into from
May 16, 2024
Merged

loader: don't disable rp-filter for IPsec #32546

merged 1 commit into from
May 16, 2024

Conversation

julianwiedmann
Copy link
Member

This was added all the way back with 79b4eba ("cilium: encrypt-node needs rp_filter zerod otherwise packets are lost"), which matches the error message in that it's about encryption for node IPs.

But as IPsec now only supports pod-to-pod traffic, we can likely remove this part.

@julianwiedmann
loader: don't disable rp-filter for IPsec
c354f5f 
This was added all the way back with 79b4eba ("cilium: encrypt-node
needs rp_filter zerod otherwise packets are lost"), which matches the
error message in that it's about encryption for node IPs.

But as IPsec now only supports pod-to-pod traffic, we can likely remove
this part.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann added sig/loader Impacts the loading of BPF programs into the kernel. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/misc This PR makes changes that have no direct user impact. kind/tech-debt Technical debt feature/ipsec Relates to Cilium's IPsec feature labels May 15, 2024
@julianwiedmann julianwiedmann requested review from a team and pchaigno and removed request for a team May 15, 2024 10:20
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann marked this pull request as ready for review May 15, 2024 17:58
@julianwiedmann julianwiedmann requested a review from a team as a code owner May 15, 2024 17:58
@julianwiedmann julianwiedmann requested a review from lmb May 15, 2024 17:58
@julianwiedmann
Copy link
Member Author

Credit to @ysksuzuki for digging up all the code locations where we currently manage the RP filter!

We've had slight concerns that the two cases below might even conflict - so it's great if we can clean this up:

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 16, 2024
@pchaigno pchaigno added this pull request to the merge queue May 16, 2024
Merged via the queue into cilium:main with commit e1cf5a1 May 16, 2024
66 checks passed
@julianwiedmann julianwiedmann deleted the 1.16-ipsec-rp-filter branch May 16, 2024 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmb lmb lmb approved these changes

@pchaigno pchaigno pchaigno approved these changes

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature kind/tech-debt Technical debt ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/loader Impacts the loading of BPF programs into the kernel.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@julianwiedmann @lmb @pchaigno