Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bpf/wireguard: Skip encryption for cluster-external traffic
Egress gateway traffic travels from a client pod to a gateway node via the overlay to be SNATed at the gateway node's native device. The reply traffic should then take the same path back to the client pod. When WireGuard is also enabled, however, we observe that the reply traffic goes through the WireGuard device instead of the overlay device. More specifically, after being reverse SNATed in bpf_host's handle_ipv4, this reply traffic goes through encap_and_redirect_with_nodeid to be redirected to the overlay device. There, it runs through wg_maybe_redirect_to_encrypt, which was never taught to skip traffic from outside the cluster. Without the egress gateway, this scenario doesn't happen for WireGuard because all traffic coming from outside the cluster is either: - destined to the local node and not subject to WireGuard encryption, or - destined to a service with a remote backend, but redirected in the BPF NodePort logic. This commit fixes this bug by adding a new case in wg_maybe_redirect_to_encrypt, to skip encryption for any traffic that originates from outside the cluster. Fixes: 2947933 ("datapath: Change WG integration to support host2host case") Signed-off-by: Paul Chaignon <paul@cilium.io>
- Loading branch information