diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c index 2c9d204a2744..e6ea2730e447 100644 --- a/bpf/bpf_lxc.c +++ b/bpf/bpf_lxc.c @@ -85,21 +85,13 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx, l4_off = l3_off + hdrlen; - /* - * Check if the destination address is among the address that should be - * load balanced. This operation is performed before we go through the - * connection tracker to allow storing the reverse nat index in the CT - * entry for destination endpoints where we can't encode the state in the - * address. - */ -#ifdef ENABLE_SERVICES -# if !defined(ENABLE_HOST_SERVICES_FULL) || \ - (defined(ENABLE_EXTERNAL_IP) && !defined(BPF_HAVE_NETNS_COOKIE)) +#if defined(ENABLE_SERVICES) && !defined(ENABLE_HOST_SERVICES_FULL) { struct lb6_service *svc; struct lb6_key key = {}; - ret = lb6_extract_key(ctx, tuple, l4_off, &key, &csum_off, CT_EGRESS); + ret = lb6_extract_key(ctx, tuple, l4_off, &key, &csum_off, + CT_EGRESS); if (IS_ERR(ret)) { if (ret == DROP_UNKNOWN_L4) goto skip_service_lookup; @@ -107,8 +99,14 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx, return ret; } - if ((svc = lb6_lookup_service(&key)) != NULL && - lb6_svc_needs_lxc_xlation(svc)) { + /* + * Check if the destination address is among the address that should + * be load balanced. This operation is performed before we go through + * the connection tracker to allow storing the reverse nat index in + * the CT entry for destination endpoints where we can't encode the + * state in the address. + */ + if ((svc = lb6_lookup_service(&key)) != NULL) { ret = lb6_local(get_ct_map6(tuple), ctx, l3_off, l4_off, &csum_off, &key, tuple, svc, &ct_state_new); if (IS_ERR(ret)) @@ -118,8 +116,7 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx, } skip_service_lookup: -# endif /* !ENABLE_HOST_SERVICES_FULL || ENABLE_EXTERNAL_IP && !BPF_HAVE_NETNS_COOKIE */ -#endif /* ENABLE_SERVICES */ +#endif /* ENABLE_SERVICES && !ENABLE_HOST_SERVICES_FULL */ /* The verifier wants to see this assignment here in case the above goto * skip_service_lookup is hit. However, in the case the packet @@ -460,9 +457,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, l4_off = l3_off + ipv4_hdrlen(ip4); -#ifdef ENABLE_SERVICES -# if !defined(ENABLE_HOST_SERVICES_FULL) || \ - (defined(ENABLE_EXTERNAL_IP) && !defined(BPF_HAVE_NETNS_COOKIE)) +#if defined(ENABLE_SERVICES) && !defined(ENABLE_HOST_SERVICES_FULL) { struct lb4_service *svc; struct lb4_key key = {}; @@ -476,10 +471,10 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, return ret; } - if ((svc = lb4_lookup_service(&key)) != NULL && - lb4_svc_needs_lxc_xlation(svc)) { - ret = lb4_local(get_ct_map4(&tuple), ctx, l3_off, l4_off, &csum_off, - &key, &tuple, svc, &ct_state_new, ip4->saddr); + if ((svc = lb4_lookup_service(&key)) != NULL) { + ret = lb4_local(get_ct_map4(&tuple), ctx, l3_off, l4_off, + &csum_off, &key, &tuple, svc, &ct_state_new, + ip4->saddr); if (IS_ERR(ret)) return ret; hairpin_flow |= ct_state_new.loopback; @@ -487,8 +482,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, } skip_service_lookup: -# endif /* !ENABLE_HOST_SERVICES_FULL || ENABLE_EXTERNAL_IP && !BPF_HAVE_NETNS_COOKIE */ -#endif /* ENABLE_SERVICES */ +#endif /* ENABLE_SERVICES && !ENABLE_HOST_SERVICES_FULL */ /* The verifier wants to see this assignment here in case the above goto * skip_service_lookup is hit. However, in the case the packet diff --git a/bpf/bpf_sock.c b/bpf/bpf_sock.c index 6628fd8716c6..10c97196aa94 100644 --- a/bpf/bpf_sock.c +++ b/bpf/bpf_sock.c @@ -185,8 +185,7 @@ int sock4_update_revnat(struct bpf_sock_addr *ctx __maybe_unused, #endif /* ENABLE_HOST_SERVICES_UDP || ENABLE_HOST_SERVICES_PEER */ static __always_inline bool -sock4_skip_xlate(struct lb4_service *svc, const bool in_hostns, - __be32 address) +sock4_skip_xlate(struct lb4_service *svc, __be32 address) { if (is_v4_loopback(address)) return false; @@ -195,14 +194,8 @@ sock4_skip_xlate(struct lb4_service *svc, const bool in_hostns, info = ipcache_lookup4(&IPCACHE_MAP, address, V4_CACHE_KEY_LEN); - if (info == NULL || - (svc->local_scope && info->sec_label != HOST_ID)) + if (info == NULL || info->sec_label != HOST_ID) return true; - if (lb4_svc_is_external_ip(svc)) { - if (info->sec_label != HOST_ID && - info->sec_label != REMOTE_NODE_ID) - return in_hostns; - } } return false; @@ -283,7 +276,7 @@ static __always_inline int __sock4_xlate_fwd(struct bpf_sock_addr *ctx, * IP address. But do the service translation if the IP * is from the host. */ - if (sock4_skip_xlate(svc, in_hostns, orig_key.address)) + if (sock4_skip_xlate(svc, orig_key.address)) return -EPERM; if (svc->affinity) { @@ -537,8 +530,7 @@ static __always_inline void ctx_set_v6_address(struct bpf_sock_addr *ctx, } static __always_inline __maybe_unused bool -sock6_skip_xlate(struct lb6_service *svc, const bool in_hostns, - union v6addr *address) +sock6_skip_xlate(struct lb6_service *svc, union v6addr *address) { if (is_v6_loopback(address)) return false; @@ -547,14 +539,8 @@ sock6_skip_xlate(struct lb6_service *svc, const bool in_hostns, info = ipcache_lookup6(&IPCACHE_MAP, address, V6_CACHE_KEY_LEN); - if (info == NULL || - (svc->local_scope && info->sec_label != HOST_ID)) + if (info == NULL || info->sec_label != HOST_ID) return true; - if (lb6_svc_is_external_ip(svc)) { - if (info->sec_label != HOST_ID && - info->sec_label != REMOTE_NODE_ID) - return in_hostns; - } } return false; @@ -718,7 +704,7 @@ static __always_inline int __sock6_xlate_fwd(struct bpf_sock_addr *ctx, if (!svc) return -ENXIO; - if (sock6_skip_xlate(svc, in_hostns, &orig_key.address)) + if (sock6_skip_xlate(svc, &orig_key.address)) return -EPERM; if (svc->affinity) { diff --git a/bpf/lib/lb.h b/bpf/lib/lb.h index a21f49c8f3c6..72aac411871d 100644 --- a/bpf/lib/lb.h +++ b/bpf/lib/lb.h @@ -157,26 +157,6 @@ bool lb6_svc_is_external_ip(const struct lb6_service *svc __maybe_unused) #endif } -static __always_inline -bool lb4_svc_needs_lxc_xlation(const struct lb4_service *svc __maybe_unused) -{ -#if defined(ENABLE_HOST_SERVICES_FULL) && defined(ENABLE_EXTERNAL_IP) - return lb4_svc_is_external_ip(svc); -#else - return true; -#endif -} - -static __always_inline -bool lb6_svc_needs_lxc_xlation(const struct lb6_service *svc __maybe_unused) -{ -#if defined(ENABLE_HOST_SERVICES_FULL) && defined(ENABLE_EXTERNAL_IP) - return lb6_svc_is_external_ip(svc); -#else - return true; -#endif -} - static __always_inline bool lb4_svc_is_hostport(const struct lb4_service *svc __maybe_unused) { diff --git a/daemon/cmd/status.go b/daemon/cmd/status.go index 6f57ebe62c3f..a6795141e3ff 100644 --- a/daemon/cmd/status.go +++ b/daemon/cmd/status.go @@ -117,7 +117,9 @@ func (d *Daemon) getMasqueradingStatus() *models.Masquerading { return s } - s.SnatExclusionCidr = datapath.RemoteSNATDstAddrExclusionCIDR().String() + if option.Config.EnableIPv4 { + s.SnatExclusionCidr = datapath.RemoteSNATDstAddrExclusionCIDR().String() + } if option.Config.EnableBPFMasquerade { s.Mode = models.MasqueradingModeBPF diff --git a/test/k8sT/Services.go b/test/k8sT/Services.go index 8ac348456e8c..7a3f12567e1b 100644 --- a/test/k8sT/Services.go +++ b/test/k8sT/Services.go @@ -785,10 +785,9 @@ var _ = Describe("K8sServicesTest", func() { // Should work from outside via the external IP testCurlFromOutside(httpURL, count, false) testCurlFromOutside(tftpURL, count, false) - // Same from inside a pod - testCurlFromPods(testDSClient, httpURL, 10, 0) - testCurlFromPods(testDSClient, tftpURL, 10, 0) - // But not from the host netns (to prevent MITM) + // Should fail from inside a pod & hostns + testCurlFromPodsFail(testDSClient, httpURL) + testCurlFromPodsFail(testDSClient, tftpURL) testCurlFailFromPodInHostNetNS(httpURL, 1, k8s1NodeName) testCurlFailFromPodInHostNetNS(httpURL, 1, k8s1NodeName) testCurlFailFromPodInHostNetNS(httpURL, 1, k8s2NodeName)