Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
daemon: Encrypt NodePort BPF traffic with WireGuard
This commit attaches the bpf_host's "from-netdev" section to the Cilium's WireGuard tunnel netdev ("cilium_wg0"). This is needed to enable the encryption of the KPR traffic. In particular, we encrypt the N/S KPR requests which will be forwarded to a remote node running a selected service endpoint. IMPORTANT: this encrypts KPR traffic only when running in the non-tunneling mode. For the request path no changes are required. The existing datapath configuration already handles it, as shown in the following: 1. The "from-netdev" attached to eth0 is invoked for the NodePort request. 2. A remote service endpoint is selected, the DNAT and SNAT translations are performed. 3. The translated request is redirected to eth0. 4. The "to-netdev" section on eth0 is invoked. It detects that the packet needs to encrypted, so it redirects to the cilium_wg0. For the reply path a minimal changes were required. After the WG netdev has decrypted the reply packet, the packet is returned to the networking stack. Because the networking stack is not aware of the connection, the reply packet is dropped. To avoid that, we attach the "from-netdev" section to the WG netdev, so that the following can be performed: 1. Reverse SNAT and DNAT translations are applied to the reply. 2. The reply packet is redirected to the outgoing interface. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt>
- Loading branch information