doc: Document masquerading behavior

Signed-off-by: Thomas Graf <thomas@cilium.io>
cilium · Jun 5, 2020 · dc8e699 · dc8e699
1 parent 6bd5b9c
commit dc8e699
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 6 deletions.
diff --git a/Documentation/concepts/masquerade.png b/Documentation/concepts/masquerade.png
diff --git a/Documentation/concepts/networking.rst b/Documentation/concepts/networking.rst
@@ -166,12 +166,6 @@ If the destination of a packet lies outside of the cluster, Cilium will
 delegate routing to the routing subsystem of the cluster node to use the
 default route which is installed on the node of the cluster.
 
-As the IP addresses used for the **cluster prefix** are typically allocated
-from RFC1918 private address blocks and are not publicly routable. Cilium will
-automatically masquerade the source IP address of all traffic that is leaving
-the cluster. This behavior can be disabled by running ``cilium-agent`` with
-the option ``--masquerade=false``.
-
 Public Endpoint Exposure
 ========================
 
@@ -189,3 +183,50 @@ this "ingress" load-balancing capability, which achieve the same effect that
 Cilium handles forwarding and security only for ''internal'' traffic between
 different services.
 
+Masquerading
+============
+
+IPv4 addresses used for pods are typically allocated from RFC1918 private
+address blocks and are thus not publicly routable. Cilium will automatically
+masquerade the source IP address of all traffic that is leaving the cluster to
+the IPv4 address of the node as the node's IP address is already routable on
+the network.
+
+.. image:: masquerade.png
+    :align: center
+
+This behavior can be disabled with the option ``masquerade: false`` in which
+case no masquerading will be performed.
+
+Configuration
+-------------
+
+Setting the routable CIDR
+  The default behavior is to exclude any destination within the IP allocation
+  CIDR of the local node. If the pod IPs are routable across a wider network,
+  that network can be specified with the option: ``native-routing-cidr:
+  10.0.0.0/8`` in which case all destinations within that CIDR will **not** be
+  masqueraded.
+
+Setting the masquerading interface (only available in iptables mode)
+  The default behavior will masquerade all traffic leaving on a non-Cilium
+  network device. This typically leads to the correct behavior. In order to
+  limit the network interface on which masquerading should be performed, the
+  option ``egress-masquerade-interfaces: eth0`` can be used.
+
+  .. note::
+
+     It is possible to specify an interface prefix as well, by specifying
+     ``eth+``, all interfaces matching the prefix ``eth`` will be used for
+     masquerading.
+
+Implementation Modes
+--------------------
+
+eBPF-based
+  The eBPF-based implementation is the most efficient
+  implementation. It requires Linux kernel 4.19 and can be enabled with the
+  option ``enable-bpf-masquerade: true``.
+
+iptables-based
+  This is the legacy implementation that will work on all kernel versions.