Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bpf: derive identity from ipcache for external traffic under fast red…
…irect We're in a similar situation as ipvlan datapath here in that we must derive the secid for policy enforcement via SECCTX_FROM_IPCACHE. This is needed as now we do not push the packet up the stack anymore where it will take the tc egress path of the bpf_lxc dev where it would resolve the secid, but instead we pass it onwards via ipv{4,6}_local_delivery() from bpf_host given we do not have skip_redirect. So in the latter this gets encoded via CB_SRC_LABEL before tail calling into ep->lxc_id. In bpf_host resolve_srcid_ipv4() was always picking WORLD (2) which will fail CIDR-based enforcement, e.g. hubble logs revealed this: {"time":"2020-11-13T13:53:09.636444980Z","verdict":"DROPPED","drop_reason":133,"ethernet":{"source":"0a:4b:c4:b6:2d:4b","destination":"92:79:4f:8e:96:4f"},"IP":{"source":"192.168.36.13","destination":"10.0.1.190","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":56228,"destination_port":80,"flags":{"SYN":true}}},"source":{"identity":2,"labels":["reserved:world"]},"destination":{"ID":1091,"identity":41849,"namespace":"default","labels":["k8s:io.cilium.k8s.policy.cluster=default","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default","k8s:zgroup=testDS"],"pod_name":"testds-944zc"},"Type":"L3_L4","node_name":"k8s2","event_type":{"type":5},"traffic_direction":"INGRESS","drop_reason_desc":"POLICY_DENIED","Summary":"TCP Flags: SYN"} The source identity in this case should have been 16777217 as per ipcache dump of ... [...] 192.168.36.13/32 16777217 0 0.0.0.0 [...] ... and thus it failed CI test 'Suite-k8s-1.12.K8sPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 connectivity is restored after importing ingress policy' where a non-Cilium managed node (192.168.36.13) made a request to the backend Pod directly via curl. It succeeded before policy to allow 192.168.36.13 to port 80 was installed but failed after the latter was set in place due to secid mismatch. Fix it by enabling SECCTX_FROM_IPCACHE so that it can assign correct identity in resolve_srcid_ipv{4,6}(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Loading branch information