ipsec: Remove dead code for IPsec node encryption

Node encryption for IPsec hasn't been supported since 1d2674d ("docs: ipsec: remove node-to-node encryption") and subsequent commits. The feature also wasn't working since several releases. This commit simply removes the code for that feature. This code has no use now and makes changes to IPsec slightly more difficult. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
cilium · Oct 31, 2023 · 482fda0 · 482fda0
1 parent b713e15
commit 482fda0
Showing 1 changed file with 1 addition and 131 deletions.
diff --git a/pkg/datapath/linux/node.go b/pkg/datapath/linux/node.go
@@ -583,11 +583,6 @@ func (n *linuxNodeHandler) enableSubnetIPsec(v4CIDR, v6CIDR []*net.IPNet) error
 		if err := n.replaceNodeIPSecOutRoute(cidr); err != nil {
 			errs = errors.Join(errs, fmt.Errorf("failed to replace ipsec OUT (%q): %w", cidr.IP, err))
 		}
-		if n.nodeConfig.EncryptNode {
-			if err := n.replaceNodeExternalIPSecOutRoute(cidr); err != nil {
-				errs = errors.Join(errs, fmt.Errorf("failed to replace external ipsec OUT (%q): %w", cidr.IP, err))
-			}
-		}
 	}
 
 	for _, cidr := range v6CIDR {
@@ -598,86 +593,6 @@ func (n *linuxNodeHandler) enableSubnetIPsec(v4CIDR, v6CIDR []*net.IPNet) error
 		if err := n.replaceNodeIPSecOutRoute(cidr); err != nil {
 			errs = errors.Join(errs, fmt.Errorf("failed to replace ipsec OUT (%q): %w", cidr.IP, err))
 		}
-		if n.nodeConfig.EncryptNode {
-			if err := n.replaceNodeExternalIPSecOutRoute(cidr); err != nil {
-				errs = errors.Join(errs, fmt.Errorf("failed to replace external ipsec OUT (%q): %w", cidr.IP, err))
-			}
-		}
-	}
-	return errs
-}
-
-// encryptNode handles setting the IPsec state for node encryption (subnet
-// encryption = disabled).
-func (n *linuxNodeHandler) encryptNode(newNode *nodeTypes.Node) error {
-	var errs error
-	var spi uint8
-	var err error
-
-	if n.nodeConfig.EnableIPv4 {
-		internalIPv4 := n.nodeAddressing.IPv4().PrimaryExternal()
-		exactMask := net.IPv4Mask(255, 255, 255, 255)
-		ipsecLocal := &net.IPNet{IP: internalIPv4, Mask: exactMask}
-		if newNode.IsLocal() {
-			wildcardIP := net.ParseIP(wildcardIPv4)
-			ipsecIPv4Wildcard := &net.IPNet{IP: wildcardIP, Mask: net.IPv4Mask(0, 0, 0, 0)}
-			errs = errors.Join(errs, n.replaceNodeIPSecInRoute(ipsecLocal))
-			spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecIPv4Wildcard, internalIPv4, wildcardIP, 0, ipsec.IPSecDirIn, false)
-			errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode local IPv4", ipsecLocal, ipsecIPv4Wildcard, spi))
-		} else {
-			if remoteIPv4 := newNode.GetNodeIP(false); remoteIPv4 != nil {
-				ipsecRemote := &net.IPNet{IP: remoteIPv4, Mask: exactMask}
-				errs = errors.Join(errs, n.replaceNodeExternalIPSecOutRoute(ipsecRemote))
-				spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecRemote, internalIPv4, remoteIPv4, 0, ipsec.IPSecDirOutNode, false)
-				errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode IPv4", ipsecLocal, ipsecRemote, spi))
-			}
-			remoteIPv4 := newNode.GetCiliumInternalIP(false)
-			if remoteIPv4 != nil {
-				mask := newNode.IPv4AllocCIDR.Mask
-				ipsecRemoteRoute := &net.IPNet{IP: remoteIPv4.Mask(mask), Mask: mask}
-				ipsecRemote := &net.IPNet{IP: remoteIPv4, Mask: mask}
-				ipsecWildcard := &net.IPNet{IP: net.ParseIP(wildcardIPv4), Mask: net.IPv4Mask(0, 0, 0, 0)}
-
-				errs = errors.Join(errs, n.replaceNodeExternalIPSecOutRoute(ipsecRemoteRoute))
-				if remoteIPv4T := newNode.GetNodeIP(false); remoteIPv4T != nil {
-					err = ipsec.UpsertIPsecEndpointPolicy(ipsecWildcard, ipsecRemote, internalIPv4, remoteIPv4T, 0, ipsec.IPSecDirOutNode)
-				}
-				errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode Cilium IPv4", ipsecWildcard, ipsecRemote, spi))
-			}
-		}
-	}
-
-	if n.nodeConfig.EnableIPv6 {
-		internalIPv6 := n.nodeAddressing.IPv6().PrimaryExternal()
-		exactMask := net.CIDRMask(128, 128)
-		ipsecLocal := &net.IPNet{IP: internalIPv6, Mask: exactMask}
-		if newNode.IsLocal() {
-			wildcardIP := net.ParseIP(wildcardIPv6)
-			ipsecIPv6Wildcard := &net.IPNet{IP: wildcardIP, Mask: net.CIDRMask(0, 0)}
-			errs = errors.Join(errs, n.replaceNodeIPSecInRoute(ipsecLocal))
-			spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecIPv6Wildcard, internalIPv6, wildcardIP, 0, ipsec.IPSecDirIn, false)
-			errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode local IPv6", ipsecLocal, ipsecIPv6Wildcard, spi))
-		} else {
-			if remoteIPv6 := newNode.GetNodeIP(true); remoteIPv6 != nil {
-				ipsecRemote := &net.IPNet{IP: remoteIPv6, Mask: exactMask}
-				errs = errors.Join(errs, n.replaceNodeExternalIPSecOutRoute(ipsecRemote))
-				spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecRemote, internalIPv6, remoteIPv6, 0, ipsec.IPSecDirOut, false)
-				errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode IPv6", ipsecLocal, ipsecRemote, spi))
-			}
-			remoteIPv6 := newNode.GetCiliumInternalIP(true)
-			if remoteIPv6 != nil {
-				mask := newNode.IPv6AllocCIDR.Mask
-				ipsecRemoteRoute := &net.IPNet{IP: remoteIPv6.Mask(mask), Mask: mask}
-				ipsecRemote := &net.IPNet{IP: remoteIPv6, Mask: mask}
-				ipsecWildcard := &net.IPNet{IP: net.ParseIP(wildcardIPv6), Mask: net.CIDRMask(0, 0)}
-
-				errs = errors.Join(n.replaceNodeExternalIPSecOutRoute(ipsecRemoteRoute))
-				if remoteIPv6T := newNode.GetNodeIP(true); remoteIPv6T != nil {
-					err = ipsec.UpsertIPsecEndpointPolicy(ipsecWildcard, ipsecRemote, internalIPv6, remoteIPv6T, 0, ipsec.IPSecDirOutNode)
-				}
-				errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode Cilium IPv6", ipsecWildcard, ipsecRemote, spi))
-			}
-		}
 	}
 	return errs
 }
@@ -1283,7 +1198,7 @@ func (n *linuxNodeHandler) nodeUpdate(oldNode, newNode *nodeTypes.Node, firstAdd
 		n.diffAndUnmapNodeIPs(oldNode.IPAddresses, newNode.IPAddresses)
 	}
 
-	if n.nodeConfig.EnableIPSec && !n.nodeConfig.EncryptNode {
+	if n.nodeConfig.EnableIPSec {
 		errs = errors.Join(errs, n.enableIPsec(newNode, remoteNodeID))
 		newKey = newNode.EncryptionKey
 	}
@@ -1304,12 +1219,6 @@ func (n *linuxNodeHandler) nodeUpdate(oldNode, newNode *nodeTypes.Node, firstAdd
 		go n.insertNeighbor(context.Background(), newNode, false)
 	}
 
-	if n.nodeConfig.EnableIPSec && n.nodeConfig.EncryptNode && !n.subnetEncryption() {
-		if err := n.encryptNode(newNode); err != nil {
-			errs = errors.Join(errs, fmt.Errorf("failed to enable node encryption: %w", err))
-		}
-	}
-
 	// Local node update
 	if newNode.IsLocal() {
 		isLocalNode = true
@@ -1681,31 +1590,6 @@ func (n *linuxNodeHandler) deleteNodeIPSecOutRoute(ip *net.IPNet) error {
 	return nil
 }
 
-// The caller must ensure that the CIDR passed in must be non-nil.
-func (n *linuxNodeHandler) deleteNodeExternalIPSecOutRoute(ip *net.IPNet) error {
-	var errs error
-	if ip.IP.To4() != nil {
-		if !n.nodeConfig.EnableIPv4 {
-			return nil
-		}
-	} else {
-		if !n.nodeConfig.EnableIPv6 {
-			return nil
-		}
-	}
-
-	if err := route.Delete(n.createNodeExternalIPSecOutRoute(ip, true)); err != nil {
-		log.WithError(err).WithField(logfields.CIDR, ip).Error("Unable to delete the IPsec route External OUT from the ipsec routing table")
-		errs = errors.Join(errs, fmt.Errorf("failed to delete ipsec route out: %w", err))
-	}
-
-	if err := route.Delete(n.createNodeExternalIPSecOutRoute(ip, false)); err != nil {
-		log.WithError(err).WithField(logfields.CIDR, ip).Error("Unable to delete the IPsec route External OUT from the host routing table")
-		errs = errors.Join(errs, fmt.Errorf("failed to delete ipsec host route out: %w", err))
-	}
-	return errs
-}
-
 // replaceNodeIPSecoInRoute replace the in IPSec routes in the host routing
 // table with the new route. If no route exists the route is installed on the
 // host. The caller must ensure that the CIDR passed in must be non-nil.
@@ -1746,13 +1630,6 @@ func (n *linuxNodeHandler) deleteIPsec(oldNode *nodeTypes.Node) error {
 		if !n.subnetEncryption() {
 			errs = errors.Join(errs, n.deleteNodeIPSecOutRoute(old4RouteNet))
 		}
-		if n.nodeConfig.EncryptNode {
-			if remoteIPv4 := oldNode.GetNodeIP(false); remoteIPv4 != nil {
-				exactMask := net.IPv4Mask(255, 255, 255, 255)
-				ipsecRemote := &net.IPNet{IP: remoteIPv4, Mask: exactMask}
-				errs = errors.Join(errs, n.deleteNodeExternalIPSecOutRoute(ipsecRemote))
-			}
-		}
 	}
 
 	if n.nodeConfig.EnableIPv6 && oldNode.IPv6AllocCIDR != nil {
@@ -1761,13 +1638,6 @@ func (n *linuxNodeHandler) deleteIPsec(oldNode *nodeTypes.Node) error {
 		if !n.subnetEncryption() {
 			n.deleteNodeIPSecOutRoute(old6RouteNet)
 		}
-		if n.nodeConfig.EncryptNode {
-			if remoteIPv6 := oldNode.GetNodeIP(true); remoteIPv6 != nil {
-				exactMask := net.CIDRMask(128, 128)
-				ipsecRemote := &net.IPNet{IP: remoteIPv6, Mask: exactMask}
-				errs = errors.Join(errs, n.deleteNodeExternalIPSecOutRoute(ipsecRemote))
-			}
-		}
 	}
 	return errs
 }