wireguard: Encrypt L7 proxy pkts to remote pods

[ upstream commit 26f8349 ] Marco reported that the following L7 proxy traffic is leaked (bypasses the WireGuard encryption): 1. WG: tunnel, L7 egress policy: forward traffic is leaked 2. WG: tunnel, DNS: all DNS traffic is leaked 3. WG: native routing, DNS: all DNS traffic is leaked This was reported before the introduction of the --wireguard-encapsulate [1]. The tunneling leak cases are obvious. The L7 proxy traffic got encapsulated by the Cilium's tunneling device. This made it to bypass the redirection to the Cilium's WireGuard device. However, [1] fixed this behavior. For Cilium v1.15 (upcoming) nothing needs to be configured. Meanwhile, for v1.14.4 users need to set --wireguard-encapsulate=true. The native routing case is more tricky. The L7 proxy taffic got a src IP of a host instead of a client pod. So, the redirection was bypassed. To fix this, we extended the redirection check to identify L7 proxy traffic. [1]: #28917 Reported-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt>
cilium · Mar 12, 2024 · 036e458 · 036e458
1 parent 3353173
commit 036e458
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/bpf/lib/wireguard.h b/bpf/lib/wireguard.h
@@ -113,16 +113,32 @@ wg_maybe_redirect_to_encrypt(struct __ctx_buff *ctx)
 #endif /* TUNNEL_MODE */
 
 	/* Unless node encryption is enabled, we don't want to encrypt
-	 * traffic from the hostns.
+	 * traffic from the hostns (an exception - L7 proxy traffic).
 	 *
 	 * NB: if iptables has SNAT-ed the packet, its sec id is HOST_ID.
 	 * This means that the packet won't be encrypted. This is fine,
 	 * as with --encrypt-node=false we encrypt only pod-to-pod packets.
 	 */
 #ifndef ENABLE_NODE_ENCRYPTION
+# ifdef TUNNEL_MODE
 	if (!src || src->sec_identity == HOST_ID)
+# else
+	/* In the native routing mode, a pkt coming from L7 proxy (i.e., Envoy
+	 * on behalf of a client pod) has src IP addr of a host, but not of the
+	 * client pod. Such a pkt must be encrypted. Unfortunately, there is no
+	 * straightforward way to differentiate between L7 proxy and host netns
+	 * traffic. Nevertheless, a host netns pkt should have the
+	 * MARK_MAGIC_HOST set.
+	 *
+	 * The check bellow assumes that any non-host netns pkt with the HOST_ID
+	 * is L7 proxy traffic, which might need to be encrypted (depending on
+	 * the dst check far bellow).
+	 */
+	if (!src || (src->sec_identity == HOST_ID &&
+		     ((ctx->mark & MARK_MAGIC_HOST_MASK) == MARK_MAGIC_HOST)))
+# endif /* TUNNEL_MODE */
 		goto out;
-#endif /* ENABLE_NODE_ENCRYPTION */
+#endif /* !ENABLE_NODE_ENCRYPTION */
 
 	/* We don't want to encrypt any traffic that originates from outside
 	 * the cluster.